InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Consumer Protection Organization Petitions FTC To Enforce U.S.-EU Safe Harbor Framework
On August 14, the Center for Digital Democracy (CDD) announced that it filed a complaint with the FTC claiming that 30 U.S. companies are compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation the U.S.-EU Safe Harbor Framework. The U.S.-EU Safe Harbor Framework established a self-certification program that allows a company to collect information from European consumers without strictly following the EU’s more stringent data protection standards, provided the company (i) provides clear notice of their data-collection practices and data uses; and (ii) allows consumers to “opt-out” of data collection practices to which they did not previously agree. According to its press release, the CDD wants the FTC to investigate the companies for “relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though [U.S.-EU] Safe Harbor requires meaningful transparency and candor.” The complaint identifies several broad concerns that the CDD claims illustrate the inadequacy of the U.S.-EU Safe Harbor Framework, including: (i) the failure of U.S.-EU Safe Harbor declarations and required privacy policies to provide accurate and meaningful information to EU consumers; (ii) a lack of transparency by companies about their data collection; and (iii) the failure of companies to provide meaningful opt-out mechanisms. The FTC has already taken more than a dozen actions this year to enforce the U.S.-EU Safe Harbor Framework.
FTC Reports Mobile Shopping App Consumer Disclosures Are Insufficient
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
Payment Cards Security Standards Organization Publishes Third-Party Security Assurance Guidance
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
ANSI Seeks Participants For Technical Committee On Security
On June 25, the American National Standards Institute (ANSI) issued a call for organizations with an interest in security to participate in an advisory committee to a new International Organization for Standardization (ISO) technical committee. The ISO is planning to restructure its security sector to consolidate the work of three existing technical committees—Societal security; Fraud countermeasures and controls; and Management system for quality of private security company operations. The new committee will begin work on January 1, 2015 and will cover standardization in the field of security including but not limited to general security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, and homeland security. Organizations interested in participating in the advisory committee must contact ANSI by July 4, 2014.
Florida Strengthens Data Breach Law
On June 20, Florida Governor Rick Scott signed SB 1524, which significantly revises and strengthens the state’s data breach notice law, making it among the toughest in the country. The bill shortens the timeline for providing notice of a data breach to require notice to consumers within 30 days of the “determination of a breach.” The bill also adds a parallel requirement to notify the state attorney general’s office for an incident affecting more than 500 state residents. The bill also provides that consumer notice by email will no longer require an E-SIGN consent. The new law clarifies the application of data breach requirements by amending the definition of “covered entity” to mean “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.” The bill also expands the definition of “personal information” to add, as was done in California last year, user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. The bill requires covered entities to take reasonable measures to (i) protect and secure data in electronic form containing personal information and (ii) dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Finally, the bill revised the risk of harm provision in two noteworthy ways: (i) like Connecticut and Alaska, law enforcement must be consulted to employ the exemption to noticeand (ii) the exemption appears to cover only consumer notice, not AG notice. The changes take effect July 1, 2014.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
FTC Report Calls For Increased Data Broker Transparency
On May 27, the FTC released a report that claims—based on a study of nine data brokers—that data brokers generally operate with a “fundamental lack of transparency.” The FTC describes data brokers as companies that collect personal information about consumers from a wide range of sources and then provide that data for purposes of verifying an individual’s identity, marketing products, and detecting fraud or otherwise mitigating risk. The report is based in part on the nine brokers’ responses to FTC orders that required the brokers to provide information about: (i) the nature and sources of the consumer information the data brokers collect; (ii) how they use, maintain, and disseminate the information; and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold or shared. The report summarizes the companies’ data acquisition processes, their product development and the types of products they provide, the quality of the data collected and sold, the types of clients to whom the data is sold, and consumer controls over the information. The FTC recommends that Congress consider enacting data broker legislation that would, among other things: (i) require data brokers to give consumers access to their data and the ability to opt out of having it shared for marketing purposes; (ii) require data brokers to clearly disclose that they not only use raw data, but that they also derive certain inferences from the data; (iii) address gaps in FCRA to provide consumers with transparency when a company uses a data broker’s risk mitigation product that limits a consumer’s ability to complete a transaction; and (iv) require brokers who offer people search products to allow consumers to access their own information and opt out of the use of that information, and to disclose the sources of the information and any limitations of the opt out.
CA AG Publishes Guide On Online Privacy Policies
On May 21, California AG Kamala D. Harris issued a guide providing recommendations to businesses affected by the 2013 amendments to the California Online Privacy Protection Act (CalOPPA). Those amendments require website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information (PII) over time and across different sites or online services. In developing an online privacy policy, the guide advises companies to use plain language, in an easily readable format, and to clearly and conspicuously identify and explain its online tracking and PII collection and sharing practices. Additionally, the guide recommends that policies provide (i) the choices a consumer has regarding the collection, use, and sharing of PII; (ii) a link to any privacy policy maintained by third parties receiving PII; and (iii) contact information for questions or concerns.
European Court of Justice Holds Individuals Have "Right To Be Forgotten"
On May 13, the European Court of Justice held that an internet search operator is responsible for the processing of personal data that appear on web pages published by third parties, and that an individual has a right to ask a search engine operator to remove from search results specific links to materials that include the individual’s personal information. The court considered the issue in response to questions referred from a Spanish court about the scope of a 1995 E.U. directive designed to, among other things, protect individual privacy rights when personal data are processed. The court determined that “by searching automatically, constantly and systematically for information published on the internet, the operator of a search engine ‘collects’ data within the meaning of the directive,” and further determined that the operator “processes” and “controls” individual personal data within the meaning of the directive. The court held that a search engine operator “must ensure, within the framework of its responsibilities, powers and capabilities, that its activity complies with the directive’s requirements,” including by, in certain circumstances, removing “links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name,” even when publication of that person’s information on those pages is lawful. Further, the court held that although the search engine operator’s processing operations take place outside of the E.U., the operator is covered by the directive because the operator also has operations in an E.U. member state that were “intended to promote and sell, in the Member State in question, advertising space offered by the search engine in order to make the service offered by the engine profitable.”
New York Plans Targeted Bank Cybersecurity Examinations
On May 6, New York Governor Andrew Cuomo released a report on bank cybersecurity preparedness and directed the New York State Department of Financial Services (DFS) to conduct targeted cybersecurity preparedness assessments of the DFS-regulated banks. The DFS is revising its examination procedures to add questions to assess IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery. DFS plans to release additional details about the timing and content of these examination procedures in the coming weeks. The report follows a year-long survey of 154 DFS-regulated banks, which revealed that “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.” The review revealed that third-party payment processor breaches were reported by 18% and 15% of small and large institutions, respectively, and that large institutions also cited mobile banking exploitation, ATM skimming/point-of-sale schemes), and insider access breaches. Last year, the DFS announced a similar inquiry into cyber preparedness at insurance companies it regulates.