InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC OIG Publishes Results of Audit of Personally Identifiable Information in Owned Real Estate Properties
On April 28, the FDIC’s Office of the Inspector General published a report – The FDIC’s Controls for Identifying, Securing, and Disposing of Personally Identifiable Information in Owned Real Estate Properties – regarding its audit of the agency’s internal controls of personally identifiable information (PII) in owned real estate (ORE) properties, which it acquires from failed FDIC-insured financial institutions. The audit was conducted to determine whether or not the FDIC’s internal controls sufficiently identified, secured, and disposed of ORE properties’ PII. According to the report, the OIG determined that the agency’s Division of Resolutions and Receivership (DRR), which is responsible for the liquidation of assets, often did not identify PII in a timely manner, and its “practices for handling and disposing of the information were inconsistent in certain key respects.” As a result of the audit, the OIG recommends that the DRR incorporate the following enhancements to its current review process of PII at ORE properties: (i) Obtain from the agency’s legal division an opinion that outlines and clarifies the requirements for handling PII at ORE properties; (ii) Review existing policies, procedures, guidance, and training and make adjustments where necessary; and (iii) Establish “the appropriate disposition of the PII that was identified at three of the ORE properties reviewed during the audit and that is currently in off-site storage.”
Washington Enacts Legislation Strengthening Data Breach Notification Requirements
On April 23, Washington Governor Jay Inslee signed bill H.R.1078, which requires covered entities to contact consumers living within the state as soon as possible, and no more than 45 days, after the discovery of a breach of personal information. Under the new law, failure to notify consumers of a data breach would violate the state’s Consumer Protection Act. The legislation also requires covered entities to notify the state attorney general and grants the attorney general authority to pursue enforcement actions on behalf of the state or consumers living within the state. The new law goes into effect July 24, 2015.
FTC Settles With Debt Brokers For Leaking Sensitive Consumer Information
On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.
FTC Releases 2014 Annual Highlights Report
On April 15, the FTC released its 2014 Annual Highlights Report (Report), summarizing the FTC’s work during the prior year to protect consumers and promote competition in industries such as mobile technology, healthcare, and consumer products and services. The Report notes a range of policy actions, including filing eight amicus briefs on topics such as debt collection and children’s online privacy. It also publicizes the FTC’s work in pursuing over 150 enforcement actions resulting in $640 million in consumer refunds, highlighting the actions against mobile carriers’ “cramming” activities and companies that misrepresented the security features of their mobile applications and failed to disclose hidden in-app charges.
Target and MasterCard Reach $19 Million Agreement Over Data Breach
On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.
FCC Enters Into $25 Million Settlement Following Cell Phone Carrier Data Breach
On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.
NYDFS Cyber Security Report Shows Vulnerabilities in Banks' Third-Party Vendors
On April 9, the NYDFS released a report finding potential cyber security vulnerabilities with banks’ third-party vendors, based on a survey of 40 banking organizations regarding the cyber security standards in place for their vendors. Notable findings from the report include (i) nearly one in three banks surveyed currently do not require third-party vendors to notify them in the event of an information security breach or other cyber security breach; (ii) less than half of the banks conduct any on-site security assessments of their third-party vendors; (iii) about one in five of the banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements; (iv) only one-third of the banks require information security requirements to be extended to subcontractors of the third-party vendors; and (v) nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products. According to the press release, NYDFS plans to strengthen cyber security standards for banks’ third-party vendors through regulations, including addressing the representations and warranties banks receive about cyber security protections in place.
White House Issues Executive Order To Combat Against Cyber Attacks
On April 1, President Obama issued an executive order granting the Department of Treasury new authority to impose sanctions against individuals or entities that engage in activities which benefit from cyber attacks against U.S. including financial institutions. The executive order is a response to an increase of malicious cyber-enabled activities that continue to pose a threat to the United States’ national security, foreign policy, and economy. As noted in a statement released by Treasury Secretary Jack Lew, the executive order “allows [Treasury] to expose and financially isolate those who hide in the shadows of the Internet to conduct malicious cyber activities that threaten the national security, foreign policy, or economic health or financial stability of the United States.” The announcement follows earlier measures made by the White House to combat against cyber attacks, including the creation of a new federal agency to facilitate the sharing of information about potential threats.
FFIEC Releases Statements on How Financial Institutions Can Identify and Mitigate Cyber Attacks
On March 30, the FFIEC announced two separate statements regarding cyber attacks at financial institutions: Statement on Destructive Malware and Statement on Compromising Credentials. The statements come in light of the growing number of attacks within the past two years and outline how financial institutions can ensure that the risk management processes and business continuity planning in place are sufficient for mitigating attacks and recovering from attacks that do occur. Noting the FFIEC’s existing guidelines for financial institutions, the report includes, but is not limited to, reminders to do the following: (i) securely configure systems and services; (ii) improve information security awareness and training programs; (iii) protect against unauthorized access to systems; (iv) participate in information-sharing forums; and (v) continually conduct information security risk assessments.
FTC Creates New Office To Investigate Consumer Technologies
On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.