InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Omnibus Spending Package Affects Cybersecurity Legislation
On December 15, Speaker Paul Ryan (R-WI) unveiled the omnibus spending bill, which includes the Cybersecurity Act of 2015 – legislation that would affect how businesses share information with each other and the government, and establish an information system for the government to share “cyber threat indicators and defensive measures in real time consistent with the protection of classified information” with federal and non-federal entities. The cybersecurity text included in the omnibus bill is a combination of three cybersecurity bills that were under legislative consideration this year, as follows: S. 754 - Cybersecurity Information Sharing Act of 2015; H.R. 1731 - National Cybersecurity Protection Advancement Act of 2015; and H.R. 1560 - Protecting Cyber Networks Act. Designating the Department of Homeland Security as the government’s proxy, the revised legislation provides entities with liability protections to voluntarily share with the government cybersecurity threat information. Specifically, regarding the sharing or receipt of cyber threat indicators, the legislation reads, “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 104(c).” Although the legislation includes text mandating that entities “implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individuals,” critics from privacy and civil liberties organizations argue that the language is vague, offering citizens little protection while enhancing intelligence agencies’ capability to invade personal privacy.
The House is scheduled to vote on the legislation Friday, December 18, with the Senate – should the legislation pass the House – acting shortly thereafter.
FTC Announces Record Settlement with Identity Theft Protection Company over Alleged Failures to Adhere to a 2010 Court Order
On December 17, the FTC announced a $100 million settlement with an Arizona-based identity theft protection company for violating the terms of a prior federal court order. In 2010, the District Court of Arizona prohibited the company from engaging in deceptive advertising and required it to secure consumers’ personal information. According to the FTC’s contempt charges, the company violated the terms of the prior order primarily by (i) failing to establish and maintain an adequate information security program to protect consumers’ personal information, such as social security numbers, and credit card and bank account numbers; (ii) falsely advertising that it protected consumers’ sensitive data by using the same sophisticated protections that financial institutions use; (iii) falsely advertising that it would send consumers alerts “as soon as” it received any indication that the consumer was a victim of identity theft; and (iv) failing to sufficiently create and retain records regarding the sale or provision of products or services related to identity theft.
The settlement is the largest monetary award obtained by the FTC in an enforcement action. Of the $100 million, $68 million may be used to “redress fees paid to [the company] by class action consumers who were allegedly injured by the same behavior alleged by the FTC.” In addition to the monetary provisions, the company must adhere to the recordkeeping procedures outlined in the 2010 order for an additional 13 years.
FAST Act to Provide Regulatory Relief to Community Banks
On December 4, President Obama signed into law H.R. 22, the “Fixing America’s Surface Transportation Act” (FAST Act). Although a transportation bill on its surface, the bill also contains various provisions that are intended to provide regulatory relief to community banks and improve the efficiency of state financial regulation. Significant provisions in the bill include: (i) establishing a process that allows parties, including banks and other stakeholders, to petition the CFPB for “rural” or “underserved” designations in certain areas for the purposes of the CFPB’s ability-to-repay rule; (ii) expanding the CFPB’s ability to exempt creditors serving rural or underserved areas from escrow requirements; (iii) granting greater flexibility to the CFPB in regards to treating a balloon loan as a qualified mortgage, if a community bank or creditor operating in a rural or underserved area extended the loan; (iv) increasing the threshold for 18-month exam cycles for well-capitalized banks from $500 million to $1 billion; and (v) authorizing the Nationwide Mortgage Licensing System – which state regulators use to license various nonbank financial services industries, such as money transmitters, payday lenders, and debt collectors – to process background checks for non-mortgage license applicants.
In addition, the act provides relief to all financial institutions meeting certain criteria from annual Gramm-Leach-Bliley privacy notice requirements. Pursuant the Gramm-Leach-Bliley Act (GLBA) and Regulation P, financial institutions were required to submit privacy notices, physically, or with consent electronically, to customers; in 2014, the CFPB amended Regulation P permitting institutions to post privacy notices online without customer consent, so long as certain criteria were met. The FAST Act’s statutory change in Section 75001 removes some of the criteria so that financial institutions do not have to send annual privacy notices so long as (i) their information sharing practices have not changed since its last notice; and (ii) they do not engage in information sharing that requires providing customers with an opt-out under the GLBA.
European Commission Announces Agreement on New Cybersecurity Rules
On December 8, the European Commission announced that European Union lawmakers reached an agreement regarding cybersecurity and breach reporting legislation. The rules are intended to improve cybersecurity capabilities in Member States as well as their cooperation on cybersecurity, and will “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to national authorities.” The text of the agreement is subject to formal approval by the European Parliament and the EU Council of Ministers; once officially published in the EU Official Journal, Member States will have 21 months to adopt the directive into their national laws and an additional 6 months to identify which internet providers it will affect.
FTC Settles with Hotel and Resort Chain Over Data Security Practices
On December 9, the FTC announced a settlement with a leading United States-based hotel and resort chain to resolve charges that the company’s data security practices were unfair and deceptive under Section 5 of the FTC Act. The settlement follows the Third Circuit’s August 24 ruling affirming the FTC’s authority to take action against companies with deficient cybersecurity practices that fail to protect consumer data against hackers. The settlement terms require the company for the next 20 years to establish, implement, and maintain a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of cardholder data. In addition, the company must obtain annual written assessments of its information security program. The assessments must certify (i) the “untrusted” status of franchisee networks that may store, process, or transmit cardholder data; (ii) the extent of the company’s compliance with the risk management protocol; and (iii) that the assessments were completed by a qualified and independent auditor free from any conflicts of interest. The settlement also requires that in the event of another data breach affecting more than 10,000 consumers, the company must obtain an assessment of the breach within 180 days and report the findings of the assessment to the FTC within 10 days of its completion.
State AGs Urge Card Companies to Advance Consumer Protection by Implementing Chip and PIN Technology
On November 16, nine state attorneys general sent a letter urging leading card brands to expedite the implementation of chip and PIN technology in the United States. The letter summarizes research connected to recent data breaches, stating “individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.” Addressing concern that PIN technology would be burdensome or confusing to consumers, the AGs maintain that many consumers are accustomed to financial transactions that rely on PIN technology, such as transactions involving debit cards, and point to a November 2014 poll that indicated cardholders were supportive of chip and PIN technology. The AGs emphasize that PIN technology is “nothing new” and is considered the “gold standard” for payment card security, noting that countries around the world have seen a dramatic decrease in fraud since implementing the technology. Finally, while the letter stresses that chip and PIN technology would better protect both consumers and businesses from data breaches, it does not suggest that the technology be legally mandated at the federal or state level: “[T]his letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”
FFIEC Releases Revised Management Booklet with Emphasis on Sound IT Governance
On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
DOJ Unseals Indictment Against Individuals for Alleged Involvement in Hacks Against Various U.S. Institutions
On November 10, the DOJ unsealed an indictment against three individuals, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, for allegedly orchestrating and committing computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers. According to the DOJ, “these three defendants perpetrated one of the largest thefts of financial-related data in history – making off with the sensitive information of literally thousands” of Americans. The DOJ alleges that, from approximately 2012 to mid-2015, Shalon and Aaaron hacked financial institutions to steal the personal information of more than 100 million customers, and then manipulated the price of certain U.S. publicly traded stocks, seeking to “market the stocks, in a deceptive and misleading manner, to customers of the victim companies whose contact information they had stolen in the intrusion.” Additionally, Shalon engaged in illegal businesses with Orenstein between 2007 and July 2015, allegedly operating (i) unlawful internet gambling businesses; (ii) multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software distributors, and unlawful internet casinos; and (iii) Coin.mx, a Bitcoin exchange company that violated federal anti-money laundering laws. Through the defendants’ schemes, they profited hundreds of millions of dollars in illegal funds and, using aliases, laundered criminal proceeds through at least 75 international shell companies and bank and brokerage accounts. The defendants are charged with multiple counts of offenses, including conspiracy to commit computer hacking, conspiracy to commit securities fraud, aggravated identity theft, wire fraud and operation of an unlicensed money transmitting business.
The DOJ also announced the unsealing of a separate indictment against Anthony R. Murgio, who was arrested on complaint in July for operating Coin.mx in the United States.
New York DFS Submits Letter to Federal Regulators Regarding Potential Cybersecurity Regulations
On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.
FCC Settles with Company Over Alleged Data Protection Failures
On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.