InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC Comptroller Discusses Emerging Payment Systems Technology and Cybersecurity, FFIEC Set to Release Cybersecurity Assessment Tool
On June 3, in prepared remarks delivered at the BITS Emerging Payments Forum, OCC Comptroller Thomas Curry advised that as financial institutions continue to develop payment systems, banks need better preparation for potential cyber-risks. Curry warned that “[c]yber criminals will also probe emerging payment systems for vulnerabilities that they can exploit to engage in money laundering[.]” In addition, Curry advocated for more regulatory oversight of digital currencies and non-bank mobile payment providers, such as ApplePay and Google Wallet. Addressing cybersecurity concerns, Curry called for increased information-sharing to promote best practices and strengthen cybersecurity readiness among the banking industry. In particular, he urged financial institutions – of all sizes – to participate in the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a non-profit founded by the banking industry to facilitate the sharing and dissemination of cybersecurity threat information. Moreover, Curry confirmed that the FFIEC will soon be releasing a Cybersecurity Assessment Tool for financial institutions to use when evaluating their cybersecurity risks and risk management capabilities, observing that the tool will be particularly helpful to community banks as cybersecurity threats continue to increase.
FCC Releases Enforcement Advisory Regarding Privacy and Internet Service Providers
On May 20, the FCC released an enforcement advisory regarding the enforcement of Section 222 of the Communications Act as it relates to providers of broadband Internet access service (BIAS). The advisory bulletin indicates that, until the FCC implements new BIAS-specific privacy regulations, the Enforcement Bureau will “focus on whether broadband providers are taking reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details.” Thus, “the Enforcement Bureau intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”
Second Circuit Rules National Security Agency's Collection of Phone Data Unlawful Under USA PATRIOT Act
In ACLU et al. v. Clapper et al., No. 14-42-CV, --- F.3d ----, 2015 WL 2097814, (2d Cir. May 7, 2015), the Second Circuit reversed a lower court’s ruling that the NSA’s bulk collection of phone data can be lawfully conducted under the USA Patriot Act. The district court had dismissed the ACLU’s complaint, holding that the program was authorized under the Patriot Act. The Second Circuit vacated that ruling and remanded the matter back to the District Court.
In remanding the matter back to the district court, the Court held “the district court erred in ruling that § 215 [of the USA Patriot Act] authorizes the telephone metadata collection program, and instead hold that the telephone metadata program exceeds the scope of what Congress has authorized and therefore violates § 215.” Id. at *33. The Court found that “[s]uch expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans.” Id. at *25. Because the Court decided the issue on statutory grounds, it declined to determine the constitutionality of the program. Id. at *1, *31. Although the Second Circuit vacated the lower court judgment, it fell short of stopping the program and affirmed the District Court’s denial of a request for a preliminary injunction, given that parts of Section 215 were set to expire on June 1, 2015. Id. at *32.
Spotlight on Electronic Discovery: Challenges Presented by the Internet of Things
E-discovery is poised to enter a new revolution as the Internet of Things (“IoT”) continues its seemingly exponential growth. IoT is the ecosystem of interconnected sensory devices that perform coordinated, pre-programmed – and even learned – tasks without the need for continuous human input. Consider your fitness tracker that logs your sleep and physical activity, or sensors in your vehicle that track your driving habits on behalf of your auto insurance provider– all of these objects log and upload data about your body and habits into the cloud for analysis and use in automated tasks. All this data, projected to impact nearly every facet of industrialized society, has presented numerous preservation, collections, and analytical challenges for litigators navigating e-discovery in the world of the IoT. But despite these challenges, litigators can use technological and legal tools to effectively manage IoT discovery.- It is true that IoT was not designed with e-discovery in mind, but neither was email or social media.
IoT data is generated by machines and usually transferred to the cloud rather than being stored on devices. This data storage process, which is largely automated, presents numerous preservation conundrums for litigators.
“Although innovation in e-discovery necessarily lags behind the innovation of the underlying technology, technology has always solved the problem that it had created. There’s no reason to believe the IoT experience will be materially different. But until that day arrives, courts should avail litigants of protections against disproportionate e-discovery efforts,” said Elizabeth McGinn, Partner in the DC office of BuckleySandler LLP.
- The responding litigant may not have the requisite control over IoT data to preserve it.
“The challenge of who controls cloud data is not unique to the IoT,” said Ty Yankov, Associate in the DC office of BuckleySandler LLP.
Technology companies have invested billions to maintain access to the data created from IoT devices, which calls into question who can control data created by such devices – the company who created the device or the person who’s data the device has collected?
- Preservation of IoT may be limited by the proposed revisions to the Federal Rules of Civil Procedure.
“Perhaps the most potent limitation to a party’s preservation and collection obligation of IoT data may rest in the timely proposed revisions to the Federal Rules of Civil Procedure, which are widely expected to take effect by the end of 2015,” said McGinn. Mindful of litigants’ inclination to over-preserve evidence, the Rules Committee seeks to clarify and limit litigants’ discovery obligations in four important ways:
- Proposed Rule 26(b) limits discoverability to issues within the parties’ claims or defenses, eliminating broad subject matter discovery.
- Proposed Rule 26(b)(2)(i) redefines the scope of discovery to include a proportionality principle.
- Proposed Rule 37(e) extends the proportionality principle to the duty to preserve evidence.
- Proposed Rule 26(b)(2)(B) reaffirms the allocation of expenses as a potential protective order remedy.
“IoT’s impact to data preservation and collection in e-discovery will be more muted that many fear,” said Yankov. “This is in large part due to the anticipated adoption of the proposed revisions to the Federal Rules as applied to the unique challenges of its preservation and accessibility.”
In their recently published article, “Treading Beyond the Iota of Fear: eDiscovery of the Internet of Things,” McGinn and Yankov provide further discussion on the changes and challenges IoT brings to e-discovery.
SEC Publishes Cybersecurity Guidance for Registered Investment Companies and Advisers
On April 30, the SEC’s Division of Investment Management issued IM Guidance Update No. 2015-02 which highlights measures that investment companies and advisers may wish to consider in addressing cybersecurity risks. The guidance urges firms to adopt a three-pronged approach including, among other things: Conducting a periodic assessment of (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. Second, creating a strategy designed to prevent, detect, and respond to cybersecurity threats, and third, implementing the strategy through written policies and procedures. The Division’s guidance also warned investment companies and advisers about third-party vendor agreements that could potentially lead to unauthorized access of investors’ information.
FDIC OIG Publishes Results of Audit of Personally Identifiable Information in Owned Real Estate Properties
On April 28, the FDIC’s Office of the Inspector General published a report – The FDIC’s Controls for Identifying, Securing, and Disposing of Personally Identifiable Information in Owned Real Estate Properties – regarding its audit of the agency’s internal controls of personally identifiable information (PII) in owned real estate (ORE) properties, which it acquires from failed FDIC-insured financial institutions. The audit was conducted to determine whether or not the FDIC’s internal controls sufficiently identified, secured, and disposed of ORE properties’ PII. According to the report, the OIG determined that the agency’s Division of Resolutions and Receivership (DRR), which is responsible for the liquidation of assets, often did not identify PII in a timely manner, and its “practices for handling and disposing of the information were inconsistent in certain key respects.” As a result of the audit, the OIG recommends that the DRR incorporate the following enhancements to its current review process of PII at ORE properties: (i) Obtain from the agency’s legal division an opinion that outlines and clarifies the requirements for handling PII at ORE properties; (ii) Review existing policies, procedures, guidance, and training and make adjustments where necessary; and (iii) Establish “the appropriate disposition of the PII that was identified at three of the ORE properties reviewed during the audit and that is currently in off-site storage.”
Washington Enacts Legislation Strengthening Data Breach Notification Requirements
On April 23, Washington Governor Jay Inslee signed bill H.R.1078, which requires covered entities to contact consumers living within the state as soon as possible, and no more than 45 days, after the discovery of a breach of personal information. Under the new law, failure to notify consumers of a data breach would violate the state’s Consumer Protection Act. The legislation also requires covered entities to notify the state attorney general and grants the attorney general authority to pursue enforcement actions on behalf of the state or consumers living within the state. The new law goes into effect July 24, 2015.
FTC Settles With Debt Brokers For Leaking Sensitive Consumer Information
On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.
FTC Releases 2014 Annual Highlights Report
On April 15, the FTC released its 2014 Annual Highlights Report (Report), summarizing the FTC’s work during the prior year to protect consumers and promote competition in industries such as mobile technology, healthcare, and consumer products and services. The Report notes a range of policy actions, including filing eight amicus briefs on topics such as debt collection and children’s online privacy. It also publicizes the FTC’s work in pursuing over 150 enforcement actions resulting in $640 million in consumer refunds, highlighting the actions against mobile carriers’ “cramming” activities and companies that misrepresented the security features of their mobile applications and failed to disclose hidden in-app charges.
Target and MasterCard Reach $19 Million Agreement Over Data Breach
On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.
