InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Boston Fed President Comments on the Ever-Changing Nature of Cyber Risk
On April 4, the Federal Reserve Bank of Boston’s President Eric S. Rosengren delivered remarks at the 2016 Cybersecurity Conference. Rosengren commented on the status of the U.S. economy and the “ever-changing” nature of cyber risk. According to Rosengren, risks in the cyber realm, unlike those related to the economy, are not waning. Significant cyber risk points outlined in Rosengren’s remarks include: (i) banks are increasingly having to compete with “fintech” entities providing similar financial services without the regulatory burden of being a bank; (ii) rapid growth in new applications and devices may provide consumer convenience, but do not always focus on security issues at large; and (iii) implementation of a communication plan addressing customer, vendor, and regulator concern in light of a breach is critical to mitigating problems. Finally, Rosengren cautioned that, “[b]anking organizations need to continue to evolve as [cyber risks] morph, and as new innovations and expectations of convenience introduce new challenges to security.”
FTC Releases 2015 Annual Highlights
On April 6, the FTC released its 2015 Annual Highlights report, which is comprised of four key sections: (i) enforcement; (ii) policy; (iii) education; and (iv) stats and data. Regarding enforcement highlights in 2015, the report covers a range of administrative and court actions related to, among other things, technological innovations that pose fraud and security risks, the security of consumers’ personal identifiable information, and alleged payday loan scams. Significant actions summarized in the enforcement section include the FTC’s (i) December settlement with a leading U.S.-based hotel and resort chain resolving charges that its data security practices were unfair and deceptive; (ii) Operation Ruse Control, a nationwide cross-border crackdown designed to protect consumers from alleged fraud within the auto industry; and (iii) Operation Collection Protection, a federal, state, and local initiative implemented to combat alleged abusive and deceptive debt collection practices. The policy and education sections of the report separately highlight the agency’s efforts to provide guidance and recommendations to government bodies and lawmakers at the state and federal levels regarding best practices for implementing competition principals into proposed laws, regulations, or policies, as well as its education outreach program, such as Start with Security, a conference designed to provide companies with tips for implementing effective data security. Notably, according to the stats and data section of the report, the FTC received more than three million consumer complaints in 2015, with debt collection, “other,” and identity theft leading the numbers at 897,655, 512,022, and 490,220 complaints, respectively.
California AG Harris Announces Settlement with San Francisco-Based Bank Over Consumer Privacy Violations
On March 28, California AG Harris announced an $8.5 million settlement with a San Francisco-based bank for alleged violations of California consumer privacy laws. Specifically, AG Harris’s and five district attorneys’ investigation into the bank found that its employees failed to “timely and adequately disclose the recording of communications they had with members of the public” in violation of sections 632 and 632.7 of the California Penal Code. Without admitting liability, the bank agreed to (i) implement changes to its policies; (ii) comply fully with California’s laws concerning the recording of communications between the bank and California consumers, making a clear, conspicuous, and accurate disclosure (the Recorded Call Disclosure) at the beginning of any communication that is subject to recording; and (iii) implement an internal compliance program to “promote full compliance with the requirements of Penal Code sections 632.7 and 632, and the Recorded call disclosure.” Of the $8.5 million civil money penalty, $384,000 will be used to reimburse the prosecutors’ investigative costs, and $500,000 will be contributed to two California organization dedicated to advancing consumer protection and privacy rights.
New York DFS Takes Action Against Online Payday Loan Lead Generator
Recently, the New York DFS announced that an online payday loan lead generator and its CEO will pay a $1 million penalty and cease payday loan lead generation activities in New York to resolve allegations that its payday loans charge fees had interest rates greater than the usury limits allowed under New York law, and that it failed to protect consumers' personal information. According to the DFS, the company (i) "advertised payday loans and connected New York consumers to payday lenders without disclosing that the payday loans contained terms that violate New York usury laws"; and (ii) failed to take any protective measures when selling leads to its network of lead buyers, despite advertising that it "prides itself in putting [its] customer's security and personal information protection at the top of [its] priority list." In the event that the company solicits non-payday lending services in New York in the future, the order requires it to establish and adhere to data security protocols for the secure use, transfer, and storage of consumers' personal information. This action represents the DFS's first action to require a company to implement consumer data security measures to its future collection of consumers' personal information.
FTC Issues Inquiry into Credit Card Companies' Compliance with Payment Card Industry Data Security Standards
On March 7, the FTC announced that it issued orders to nine companies requiring them to file a Special Report regarding their assessments of other companies’ compliance with the Payment Card Industry Data Security Standards (PCI DSS). Specifically, the FTC’s Order stated that it is “seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy.” Among other things, a company in receipt of the Order must state whether or not it performs PCI DSS Compliance Assessments, whether or not it provides any Data Security Forensic Audit Services, and whether or not it has been the “subject of any government or regulatory inquiry, private action, arbitration or mediation related to the provision of Data Security Services.” If a company performs PCI DSS Compliance Assessments, the Order requires that it submit certain information on the assessment process, including but not limited to, (i) whether or not Qualified Security Assessors are hired to perform the assessment; (ii) the number and percentage of clients for which it completed a Compliance Assessment, including the number it did not provide a “compliant” or “in place” designation on the Attestation of Compliance or the Report on Compliance, respectively; (iii) the policies and procedures related to the Compliance Assessment; and (iv) copies of a limited set of PCI DSS compliance assessments performed. Companies must file the Special Report within 45 days after the date of service of the Order, dated March 4, 2016.
FDIC Publishes Special Edition of Quarterly Consumer News: A Bank Customer's Guide to Cybersecurity
On March 8, the FDIC published a special edition of its Quarterly Consumer News entitled, “A Bank Customer’s Guide to Cybersecurity.” The guide provides consumers with, among other things, (i) safety tips for online banking; (ii) steps to take to ensure mobile devices remain secure; (iii) advice on how to avoid identity theft, including tips for keeping malware off computers; and (iv) an eight-question cybersecurity test based off the information provided in the guide. The guide also highlights federal regulations and law in place requiring financial institutions to establish programs that ensure (i) the security and confidentiality of customer information; and (ii) the minimization of consumers’ losses if they are the victim of unauthorized purchases. Finally, the guide warns small business owners “to be vigilant in protecting their computer systems and data” and provides them with tips similar to the basic precautions outlined for consumers.
FCC Releases Broadband Consumer Privacy Proposal Fact Sheet
On March 10, the FCC released a fact sheet regarding consumers’ rights in relation to broadband internet services. Significantly, the fact sheet highlights FCC Chairman Tom Wheeler’s proposed rule, which was recently circulated to the Commission for consideration, to ensure consumers have the tools necessary “to make informed choices about how and whether their data is used and shared by their broadband providers.” According to the fact sheet, Chairman Wheeler’s proposed rule “separates the use and sharing of information into three categories, and proposes adoption of clear guidance for both ISPs and customers about transparency, choice and security requirements for that information.” The Commission will vote on the proposal on March 31; if adopted, a period of public comment will follow the Commission’s approval.
Massachusetts Division of Banks Issues New Cybersecurity Exam Procedures
Recently, the Massachusetts Division of Banks released examination procedures that incorporate cybersecurity as a module in all of its examinations of banks and non-bank licensees. The procedures contain two separate workbooks. The first, NDIS IT/Information Security Examination Work-program, contains questions related to a Licensee’s (i) risk assessment and management oversight; (ii) written information security program; (iii) data security operations; (iv) business continuity and disaster recovery; (v) cybersecurity; and (vi) IT audit. Section VII of the workbook provides space for an examination summary, and Section VIII of the first workbook contains various links to examination resources, including, but not limited to, the FFIEC Interagency Guidelines Establishing Information Security Standards, and a copy of 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth. The second, Non-Depository Institution Supervision Information Technology Officer’s Questionnaire, “contains questions covering significant areas of the Licensee’s [IT] function.”
Last year, the Division sent a communique to CEOs of regulated institutions encouraging them to do a cybersecurity assessment using the FFIEC tool and noted that it would be looking at those assessments in future examinations.
Department of Commerce Reveals EU-U.S. Privacy Shield Framework
This week, the Department of Commerce released a package related to the EU-U.S. Privacy Shield Framework for transatlantic data flows. In February, the European Commission announced that the U.S. and the European Commission had agreed to a new Framework, but the Department of Commerce’s recently issued package is the first time the text of the agreement has been made available to the public. In addition to including the Framework itself, the package contains various copies of correspondence from U.S. officials discussing matters related to the Framework and how the appropriate U.S. government agencies will ensure the Framework, if adopted, will be enforced. Among other things, the new agreement (i) requires companies to respond to consumer complaints within 45 days of receiving the complaint; and (ii) describes a binding arbitration option for “certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield.” Significantly, as noted in a statement from the European Commission, a final decision regarding the implementation of the Framework has not yet been made: “Now, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the [members of the Commission]. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.”
On a related note, President Obama signed the Judicial Redress Act last week, which will lead to the highly anticipated signature of the EU-U.S. Data Protection Umbrella Agreement.
Special Alert: CFPB Enters into First Consent Order with Online Payment Platform for Misrepresenting Data Security Practices
On March 2, the CFPB took action against an Iowa-based online payment platform and entered into a Consent Order for deceptive acts and practices relating to false representations regarding the company’s data security practices in violation of 1031(a) and 1036 (a)(1) of the Consumer Financial Protection Act of 2010. The CFPB ordered the company to pay a $100,000 fine and to take certain remedial steps to improve their cybersecurity practices. Notably, this action is the result of the company’s failure to have adequate controls in place; it is not the result of a breach incident. Similar to other regulators, the CFPB will likely pay increasing attention to cybersecurity and data privacy issues as the understanding of its significance grows.
The Consent Order states that, despite representations to the contrary, the company (i) misrepresented the quality and efficacy of its cybersecurity and data privacy practices by stating that all personal data on its site was “safe” and “secure” and that its practices “exceeded” industry standards; (ii) did not properly encrypt consumer data; and (iii) failed to provide employees with sufficient cyber training.
Click here to view the full Special Alert.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of the persons listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Elizabeth E. McGinn, (202) 349-7968