InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC Settles with Company Over Alleged Data Protection Failures
On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.
FFIEC Issues Joint Statement Regarding Cyber Attacks Involving Extortion
On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.
The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.
FTC Announces Agenda for Cross-Device Tracking Workshop
On November 3, the FTC announced the agenda for its Cross-Device Tracking workshop, which is scheduled to take place on November 16 in Washington, D.C. FTC Chairwoman Edith Ramirez will deliver opening remarks, with FTC Office of Technology, Research and Investigation Policy Director Justin Brookman introducing two panel discussions. The first panel will examine the technology used for cross-device tracking, including how it has evolved, privacy concerns, and how the technology benefits consumers and businesses alike. The second panel will focus on the policy implications of cross-device tracking, such as: (i) the type of data being collected about consumers; (ii) consumer awareness of this type of tracking; (iii) notice to consumers of cross-device tracking and consumers’ ability to give consent; and (iv) industry self-regulation efforts.
FTC and International Partners Launch New Information-Sharing System
On October 25, the FTC and seven members of the Global Privacy Enforcement Network (GPEN) launched GPEN Alert, a new information-sharing system designed to enhance coordinated efforts to protect consumer privacy. The FTC and seven data protection authorities from Australia, Canada, Ireland, the Netherlands, New Zealand, Norway, and the United Kingdom signed an MOU to participate in GPEN Alert. GPEN Alert is based on the FTC’s Consumer Sentinel Network and will allow participating agencies to confidentially share information about privacy investigations and enforcement actions.
FTC Announces Agenda, Panelists for Lead Generation Workshop Addressing Consumer Protection Issues
On October 19, the FTC announced the agenda for its upcoming workshop entitled, “Follow the Lead: An FTC Workshop About Online Lead Generation.” As consumers search the internet for goods and services, they are often times asked to provide sensitive personal and financial information that a lead generator may then subsequently transfer to third-party marketing companies. The workshop will examine consumer protection issues raised as a result of the practices of the lead generation industry, and is scheduled to host the following panels in Washington, DC on October 30: (i) Introduction to Lead Generation Marketplace and Mechanics; (ii) Case Study on Lead Generation in Lending; (iii) Case Study on Lead Generation in Education; (iv) Overview of Consumer Protection Concerns and the Legal Landscape; and (v) Looking Ahead – Protecting and Educating Consumers.
Statement of the Article 29 Working Party Regarding Schrems EU Court Decision
On October 16, the Article 29 Working Party (Working Party) released a statement regarding the October 6 Court of Justice of the European Union’s decision to invalidate the adequacy of the U.S.-EU data protection Safe Harbor framework. The EU Court recently declared that the Safe Harbor Framework fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” In response to the EU Court’s decision, the Working Party provided the following guidance on the implementation of the judgment: (i) a broad analysis of third country domestic laws and international commitments must be applied when determining if data transfers meet adequacy standards; and (ii) Member States and European institutions should hold open discussions with U.S. authorities to “find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” The Working Party noted that it will continue to monitor the Irish High Court for developments concerning the Schrems opinion, but that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Illinois to Host Cyber Risk and Security Conferences; CSBS to Co-host
On October 14, the Illinois Division of Banking announced that it would host two Cyber Risk and Security Conferences on November 9 and November 16. With the growing number of threats to financial data systems, cyber and data security has become a top concern for regulators in the financial industry. Topics to be addressed at the conferences include: (i) current cyber threats; (ii) bank and credit unions’ cyber preparedness and response to threats; and (iii) existing trends and the globalization of cyber crimes. The CSBS will co-host the conferences.
FTC Releases Agenda for Start with Security Conference
On October 14, the FTC announced the agenda for its Start with Security conference, scheduled to take place on November 5 in Austin, TX. The conference is intended to provide companies, particularly start-ups and developers, with tips for implementing effective data security. The event will host the following four panels: (i) Starting up Security - Building a Security Culture; (ii) Scaling Security - Adapting Security Testing for DevOps and Hyper-growth; (iii) Third-party AppSec - Dealing with Bugs, Bug Reports, and Third-party Code; and (iv) Beyond Bugs - Embracing Security Features.
Third Circuit Vacates New Jersey District Court's Dismissal of TCPA-related Case
On October 14, the Court of Appeals for the Third Circuit ruled the recipient – intended or not – of a prerecorded call has standing under the TCPA, so long as the recipient has sufficient ties to the number called. Leyse v. Bank of America NA, No. 14-4073 (3rd. Cir. Oct. 14, 2015). In 2011, a roommate of the intended recipient sued a financial institution after answering a prerecorded telemarketing call seeking to advertise credit cards on behalf of the financial institution. In 2014, the District Court of New Jersey dismissed the case on the grounds that the plaintiff was not the intended recipient of the call and, therefore, lacked standing. The Third Circuit vacated that ruling, holding that the TCPA’s “zone of interests encompasses more than just the intended recipients of the prerecorded telemarketing calls” and that “[l]imiting standing to the intended recipient would disserve the very purposes Congress articulated in the text of the Act.”
DOJ Disables Malware Designed for Bank-Theft; Unseals Indictment Against Botnet Administrator
On October 13, the DOJ unsealed an indictment against a Moldovan citizen for his alleged involvement in a criminal conspiracy to steal confidential financial information by distributing malware software through phishing emails. According to the indictment, the Defendant and his co-conspirators infected computers with malware designed to circumvent anti-virus protections and steal confidential personal and financial information from victims. The confidential information, such as online banking credentials, was used to “falsely represent to banks that the defendant and co-conspirators were the victims or employees of the victims with authority to access the victims’ bank accounts.” The investigation found that an estimated $10 million loss in the U.S. alone can be attributed to the Defendant’s scheme.