InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ Deputy Assistant AG Delivers Testimony at Senate Subcommittee Hearing Regarding Cyber Crime
On July 8, the DOJ’s Deputy Assistant AG, David Bitkower, delivered his testimony before the Senate Judiciary Subcommittee on Crime and Terrorism’s hearing entitled, “Cyber Crime: Modernizing Our Legal Framework for the Information Age.” Bitkower’s testimony focused on two of President Obama’s earlier 2015 legislative proposals regarding the security of online privacy for American citizens and businesses. The first proposal, with an emphasis on the “insider threat,” seeks to amend a provision of the Computer Fraud and Abuse Act (CFAA) – the primary statute the DOJ uses to charge computer crime cases – to ensure that corrupt employees using their authority to access sensitive data for personal gain are not immune from federal punishment. Bitkower noted that recent judicial decisions have impeded the government’s ability to prosecute cases where “serious violations and invasions of privacy” were prevalent. The second legislative proposal would enhance the DOJ’s ability to combat botnets, the networks of computers that are infected with malware and used by criminals to steal personal information, evade detection, and hold computers and computer systems for ransom. The proposed legislation would broaden the categories of crimes committed with botnets that can be enjoined by courts, which, under the current law, are mostly limited financial crimes.
NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority
On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements. Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”
FFIEC Releases Cybersecurity Assessment Tool
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
Mobile App Developer Settles with FTC and New Jersey AG Over Virtual Currency Mining
On June 29, a mobile app developer entered into an agreement with the FTC and the New Jersey AG to settle allegations that the developer engaged in deceptive and unfair practices by marketing its rewards app, called “Prized,” as being free of malicious software, also known as “malware.” However, according to the FTC, the true purpose of the mobile app was to uploaded malware onto consumers’ mobile devices capable of mining virtual currencies for the software developer. This process allegedly reduced the battery life of consumers’ devices and caused consumers to burn through their monthly data plans. Under terms of settlement, the developer and accompanying mobile app are (i) prohibited from creating and distributing malicious software, and (ii) required to pay $50,000 to the state of New Jersey, with $5,200 due immediately, and the remaining $44,800 payable if the developer fails to comply with the terms of the consent order or the New Jersey Consumer Fraud Act within three years of the order.
Fed Governor Discusses Payment Security
On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.
Alleged Ringleader of Global Cybercrimes Extradited to United States to Face Charges
Today, the DOJ unsealed an eighteen-count indictment in Brooklyn, New York charging a Turkish citizen (Defendant) with organizing worldwide cyberattacks against at least three U.S. payment processors’ computer networks. The Defendant’s organization allegedly used “sophisticated intrusion techniques” to hack the computer systems, stealing prepaid debit card data and subsequently using the stolen data to make ATM withdrawals in which standard withdrawal limits were manipulated to allow for greater withdrawals. According to the indictment, the Defendant managed a group of co-conspirators responsible for distributing the stolen card information to “cashing crews” around the world, who then used the information to conduct tens of thousands of fraudulent ATM withdrawals and fraudulent purchases. Within two days – February 27 and 28, 2011 – the DOJ alleges that the “cashing crews withdrew approximately $10 million through approximately 15,000 fraudulent ATM withdrawals in at least 18 countries.” The remaining two operations, occurring in late 2012 and early 2013, resulted in ATM withdrawals of roughly $5 million and $40 million, respectively. The Defendant, along with other high-ranking members of the conspiracy, received the funds from the fraudulent operations via wire transfer, electronic currency, and personal delivery of U.S. and foreign currency. The Defendant was arrested in Germany on December 18, 2013, and was extradited to the United States on June 23, 2015. The charges against the Defendant follow previous charges against members of the conspiracy, including the arrest of a member of the New York cashing crew.
FCC Adopts Chairman Wheeler's Proposal to Strengthen Consumer Protection Under the TCPA
On June 18, the FCC held an Open Commission Meeting, during which the Commission adopted Chairman Wheeler’s proposal to strengthen consumer protection under the TCPA. The set of declaratory rulings included in the proposal affirms consumers’ rights to revoke their consent to receive robocalls or robotexts at any reasonable time an in any reasonable way, and gives carriers the ability to provide consumers with “Do Not Disturb” technology. The Commission’s June 18 Action by Declaratory Ruling and Order was described as an effort to close “loopholes and [strengthens] consumer protections already on the books.”
European Union Reaches Agreement Regarding New Data Protection Law
On June 15, the 28 governments of the European Union agreed to a draft Data Protection Regulation that would establish tighter privacy provisions for users of online services – including those provided by U.S. tech companies – in a majority of European countries. The draft Regulation advances a single set of data protection rules for the EU, which include data breach notification obligations, within 24 hours if feasible, a strengthened “right to be forgotten,” and additional enforcement power for Europe’s data protection authorities, including penalties of up to €1 million or up to 2% of global annual turnover of a company. While EU Commissioners say the proposed law would cut costs for businesses, critics argue that its provision requiring data processors to delete individuals’ personal data upon request would inevitably increase costs for European-based internet companies. For the past three and a half years, the EU has tried to reach an agreement to merge the countries’ rules on personal data protection into one set of regulations. If this most recent proposal passes the next phase of European Parliament negotiations, the law will have a 2016 effective date, with a two year transitional period for companies and data protection authorities to adapt to the new regulations.
FCC Chairman Circulates Proposal to Strengthen Consumer Protection Under the TCPA; Open Meeting Scheduled For June 18
On May 27, the FCC released a fact sheet outlining Chairman Wheeler’s proposal for a series of rulings under the Telephone Consumer Protection Act (TCPA) that he asserts will better protect American consumers from unsolicited robocalls, spam text messages, and telemarketing calls. If adopted, the proposal would, among other things: (i) give consumers the right to revoke their consent to receive robocalls and robotexts at any reasonable time and in any reasonable way; (ii) authorize carriers to offer robocall-blocking or “Do Not Disturb” technologies to consumers; and (iii) require robocallers to stop calling a number when it has been reassigned to a new subscriber. Responding to multiple petitions that “sought clarity on how the Commission enforces” the TCPA, the proposal aims to “close loopholes and strengthen consumer protections already on the books.” The Chairman’s proposal is scheduled to be voted on at the Open Commission Meeting on June 18.