InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury Deputy Secretary Raskin Delivers Remarks On Cyber Security
On March 25, Department of the Treasury’s Deputy Secretary Raskin delivered remarks regarding the agency’s efforts to enhance cybersecurity as the number of cyber-attacks continue to increase. Raskin outlined three specific areas where financial institutions can better prepare for cyber threats and enhance “cyber resilience” in the event of a cyberattack: (i) increase information sharing among financial institutions, thereby making this a priority for the financial sector worldwide; (ii) ensure that safeguards are in place for all third-party vendors with access to the financial institution’s data and systems; and (iii) design a cyber-preparedness “playbook” that has a “detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery and time costs, and instill confidence in outside stakeholders and the public.”
FFIEC Provides Overview of Cybersecurity Priorities
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.
Large Retailer Agrees to Pay $10 Million Related to Data Breach Incident
On March 19, a district court granted preliminary approval in which a large retailer agreed to pay $10 million to settle a class-action action suit related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. Under the proposed settlement, the retailer will deposit the settlement amount into escrow to pay individual victims up to $10,000 in damages. In addition, the proposed settlement requires the retailer to (i) maintain a written information security program and (ii) appoint a Chief Information Security Officer. The proposed settlement is pending court approval.
Financial Institutions File Class Action Suit In Response to Data Breach
On March 13, a federal credit union filed a class action suit against a national retailer and parent company, alleging their actions during a September 2014 data breach injured credit unions, banks, and other financial institutions. Greater Chautauqua FCU v. Kmart Corp and Sears Holdings Corp., No. 15-cv-2228, (N.D.Ill. Mar.13,2015) The complaint contends that financial institutions (i) were required to, among other things, refund fraudulent charges, respond to a higher volume of customer complaints, and increase fraud monitoring efforts, and (ii) lost revenue due to a decrease in card usage after the breach was disclosed. The complaint alleges that the retailer failed to maintain adequate data security under applicable payment card industry standards, particularly in the wake of well-publicized data breaches at other retailers by third parties using similar techniques and malicious software. Moreover, the retailer failed to detect or notify customers for a period of at least five weeks. The complaint was filed in US District Court for the Northern District of Illinois, and alleges damages in excess of $5,000,000 for violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Business Act, and New York General Business Law, as well as negligence, and negligent misrepresentation and/or omission.
Wyoming Amends State Consumer Protection Act
On March 2, the Wyoming legislature passed S.F. 35 and S.F. 36, which amend the state’s Consumer Protection Act to enhance privacy protections for sensitive personal information. With limited exception for entities covered by the Health Insurance Portability and Accountability Act, S.B. 35 subjects individuals and commercial entities to additional data breach notification requirements, including providing Wyoming residents with information such as (i) the type of information subject to the breach, (ii) a general description of the breach incident, (iii) the approximate date of the breach, (iv) the steps taken by the individual or entity to prevent further breaches, (v) advice on how to review accounts and monitor credit reports, and (vi) whether notification was delayed by a law enforcement investigation. S.B. 36 expands the categories of personal identifying information that trigger protections under the Consumer Protection Act. Assuming signature by Governor Mead, the laws will take effect July 1, 2015.
White House Releases Cyber Threat Intelligence Integration Center Fact Sheet
On February 25, the White House issued a fact sheet regarding the establishment of the Cyber Threat Intelligence Integration Center (CTIIC), which outlines the purpose, authority, organizational structure, and how the CTIIC will interact with other cybersecurity centers. According to the fact sheet, the CTIIC “will be a national intelligence center focused on “connecting the dots” regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests, and on providing all-source analysis of threats to U.S. policymakers.” The CTIIC will provide a “cross-agency view of foreign cyber threats, their severity, and potential attribution” by supporting the operations of other agencies like the National Cybersecurity and Communications Integration Center (NCCIC), the National Cyber Investigative Joint Task Force (NCIJTF), and US Cyber Command.
New York Bank Regulator Considering Cybersecurity Regulations, Random Audits of Banks
On February 25, New York DFS Superintendent Benjamin Lawsky delivered remarks at Columbia Law School focusing on how state bank regulators can better supervise financial institutions in a post-financial crisis era. In his remarks, Lawsky stated that “real deterrence” to future misconduct “means a focus not just on corporate accountability, but on individual accountability” at the senior executive level. Lawsky also highlighted measures that DFS is considering to prevent money laundering including conducting random audits of regulated firms’ “transaction monitoring and filtering systems” and making senior executives attest to the adequacy of the systems. Lastly, Lawsky outlined several cybersecurity initiatives and considerations that would require third-party vendors to have cybersecurity protections and regulations in place that would mandate the use of “multi-factor authentication” systems for DFS regulated firms.
Industry Trade Groups Urge Congress to Pass Legislation to Protect Consumers from Data Breaches
On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
White House Unveils New Federal Cybersecurity Agency
On February 10, the White House announced it will establish the Cyber Threat Intelligence Integration Center (CTIIC). In prepared remarks, Lisa Monaco, Assistant to the President for Homeland Security and Counterrorism, revealed that the CTIIC will be responsible for integrating intelligence about cyber threats, providing analysis to policymakers and operators, and support the work of existing Federal government Cyber Centers, network defenders, and local law enforcement agencies. The set-up of the agency will operate under the auspices of the Director of National Intelligence.
New York DFS Announces Targeted Cybersecurity Examinations, Releases Report on Insurance Companies
On February 8, New York DFS Superintendent Benjamin Lawsky announced that the DFS would begin (i) regularly examining insurance companies’ cyber security preparedness; (ii) enhancing regulations that will require insurance providers to meet higher standards of cyber security; and (iii) examining “stronger measures related to the representations and warranties insurance companies receive from third-party vendors.” Lawsky expects the targeted exams to begin in the “coming weeks and months.” The announcement was accompanied by the release of the state agency’s report on cybersecurity in the insurance industry.