InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
Design firm to settle False Claims Act allegations related to cybersecurity failures
On March 14, the DOJ announced a $293,771 settlement with a design company to resolve alleged False Claims Act (FCA) violations related to failures in its cybersecurity practices. According to the DOJ, the company failed to secure personal information on a federally-funded Florida children’s health insurance website that was created, hosted, and maintained by the company. “Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, said in the announcement. “We will use the [FCA] to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.” In this case, the Florida entity (which receives federal Medicaid funds, as well as state funds to provide children’s health insurance programs) contracted with the design company for the provision of a hosting environment that complied with HIPAA’s personal information protection requirements. The company also agreed to adapt, modify, and create code on the webserver to support the secure communication of data. However, between January 1, 2014, and Dec. 14, 2020, the company allegedly failed to provide secure hosting of applicants’ personal information and failed to implement necessary updates. In December 2020, the website experienced a data breach that potentially exposed more than 500,000 applicants’ personal identifying information and other data. In response to the data breach and the company’s cybersecurity failure, the Florida entity shut down the website’s application portal.
CFPB seeks input on data broker businesses
On March 15, the CFPB issued a Request for Information (RFI) seeking public input on data broker business practices in order to inform planned rulemaking under the FCRA and help the agency understand the current state of the industry. “Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data,” CFPB Director Rohit Chopra said in the announcement. He added, “[o]ur inquiry will inform whether rules under the [FCRA] reflect these market realities.” The Bureau explained that the FCRA—which covers data brokers such as credit reporting companies and background screening firms, as well as parties who report information to these firms—provides several protections, including accuracy standards, dispute rights, and restrictions on how data can be used. The RFI seeks feedback on business models and practices used by the data broker market, including information about the types of data being collected and sold and the sources data brokers rely upon. In particular, the Bureau seeks information on consumer harm and market abuses, and wants to understand “whether companies using these new business models are covered by the FCRA, given the FCRA’s broad definitions of ‘consumer report’ and ‘consumer reporting agency.’” The Bureau stated it is also interested in learning about consumers’ direct experiences with data brokers, including when consumers try to remove, correct, or regain control of their data. Comments on the RFI are due by June 13.
Wyoming to regulate debt buyers as collection agencies
On February 27, the Wyoming governor signed HB 284, which requires debt buyers to be licensed as “collection agencies” beginning July 1. Under the act, a collection agency now includes any person who operates as a debt buyer, defined as “any person that is regularly engaged in the business of purchasing charged-off consumer debt for collection purposes, whether the person collects the debt, hires a third party for collection of the debt or hires an attorney for collection litigation[.]” As a result, debt buyers will be regulated by the Collection Agency Board. Importantly, the act protects the validity of any civil action or arbitration filed or commenced by a debt buyer, or any judgment entered for a debt buyer, prior to the effective date.
REPO task force highlights efforts taken against sanctioned Russians
On March 9, the multilateral Russian Elites, Proxies, and Oligarchs (REPO) Task Force released a statement on the group’s continued work one year after Russia’s invasion of Ukraine. As previously covered by InfoBytes, the U.S. Treasury Department, along with representatives from Australia, Canada, Germany, France, Italy, Japan, the United Kingdom, and the European Commission, formed REPO last February to collect and share information among authorities in order “to take concrete actions, including sanctions, asset freezing, and civil and criminal asset seizure, and criminal prosecution.” REPO noted that it has, among other things, (i) blocked or frozen more than $58 billion in sanctioned Russian assets; (ii) taken collective measures to restrict sanctioned Russians’ access to the global financial system and “to investigate and counter Russian sanctions evasions, including attempts to hide or obfuscate assets, illicit cryptocurrency and money laundering schemes, illicit Russian defense procurement, and sanctioned Russians’ use of financial facilitators”; (iii) led international sanctions enforcement efforts; (iv) “[w]orked to update or expand and implement REPO members’ respective legal frameworks that enable the freezing, seizure, forfeiture and/or disposal of assets”; and (v) brought about the first forfeiture of assets of a sanction Russian as part of $5.4 million foreign assistance funds transfer to Ukraine. REPO also issued a joint Global Advisory on Russian Sanctions Evasion, intended to ensure effective sanctions implementation and compliance across member jurisdictions.
OFAC sanctions Iran’s international UAV procurement network
On March 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against a China-based network of five companies and one individual accused of supporting Iran’s unmanned aerial vehicle (UAV) procurement efforts, pursuant to Executive Order 13382. According to OFAC, the network “is responsible for the sale and shipment of thousands of aerospace components, including components that can be used for UAV applications,” to an Iranian aircraft manufacturing company previously sanctioned by OFAC in 2008, for being owned or controlled by Iran’s Ministry of Defense and Armed Forces Logistics and for having provided support to Iran’s Islamic Revolutionary Guard Corps.
As a result of the sanctions, all property interests belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property interests of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”
District Court approves $1.75 million data breach settlement
On March 3, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial information, social security numbers, health records, and other personal data. The affected individuals are students, parents, and guardians who were enrolled in a system used to manage student data in a California school district. According to class members, by failing to adequately safeguard users’ login credentials and by failing to timely notify individuals of the breach, the company violated, among other things, California’s unfair competition law, the California Customer Records Act, and the California Consumer Privacy Act.
Under the terms of the settlement, the company is required to pay a non-reversionary settlement amount of $1.75 million, which will be used to compensate class members and pay for attorney fees and costs, service awards, and administrative expenses. Additionally, as outlined in the motion for preliminary approval of the class action settlement, class members are eligible to submit claims for “ordinary losses” (capped at $1,000 per person), as well as “extraordinary losses” (capped at $10,000 per person). Ordinary losses include expenses such as bank fees, long distance phone charges, certain cell phone charges, postage, gasoline for local travel, “[f]ees for additional credit reports, credit monitoring, or other identity theft insurance products,” and up to 40 hours of time, at $25/hour, for at least one full hour used to deal with the data breach. Extraordinary losses are described as those “arising from financial fraud or identity theft” where the “loss is an actual, documented, and unreimbursed monetary loss” and is “fairly traceable to the data breach” and not already covered by another reimbursement category. Class members must also show that they made “reasonable efforts to avoid, or seek reimbursement for, the loss.” All class members will be offered 12 months of credit monitoring and identity theft protection at no cost, and the company will implement “information security enhancements” to prevent future occurrences.
HHS releases health care cybersecurity guide
On March 8, the Department of Health and Human Services (HHS) released a cybersecurity implementation guide to assist public and private health care sectors prevent cybersecurity incidents. The Cybersecurity Framework Implementation Guide was developed jointly with the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Council Cybersecurity Working Group. Substantial contributions to the guide were also provided by the National Institute for Standards and Technology (NIST) and other federal agencies. HHS explained that the guide is intended to help health care organizations implement the 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity using their existing security measures, stating that the guide should be used to assess current cybersecurity practices and risks and identify gaps for remediation. Among other things, the guide (i) outlines risk management principles and best practices; (ii) provides common language for addressing and managing cyber risk; (iii) lays out a structure for applying cyber risk management; and (iv) identifies “effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs.”
States receive $245 million judgment against robocall operation
On March 6, the U.S. District Court for the Southern District of Texas entered stipulated orders and permanent injunctions against two individuals who, along with their companies (also named as defendants in the litigation), allegedly operated a massive robocall campaign to sell extended car warranties and health care services. (See orders here and here.) Eight states attorneys general alleged violations of the TCPA and the Telemarketing Sales Rule, as well as various state consumer protection laws, claiming that the defendants initiated millions of robocalls to individuals nationwide without their prior express consent, spoofed caller ID numbers to mislead recipients, and called people whose numbers were on the Do Not Call Registry. Under the terms of the orders, the individual defendants (who neither admitted nor denied the allegations) are permanently banned from initiating or facilitating (or causing others to initiate or facilitate) any robocalls, working in or with companies that make robocalls, or engaging in any telemarketing. The court also ordered each individual defendant to pay a $122.3 million monetary judgment; however, these payments are mostly suspended in favor of the more permanent bans due to their inability to pay. The states noted that they are continuing their cases in the same action against others who allegedly worked with the individual defendants to facilitate the robocalls.
Fed issues Bank Term Funding Program FAQs
On March 13, the Federal Reserve Board issued FAQs on its Bank Term Funding Program, which launched March 12, to provide additional funding to eligible depository institutions in order to meet depositors’ needs. The program will serve as an additional source of liquidity against high-quality securities, and will eliminate the need for an institution to quickly sell those securities in times of stress. Loans of up to one year in length will be made available to “banks, savings associations, credit unions, and other eligible depository institutions pledging U.S. Treasuries, agency debt and mortgage-backed securities, and other qualifying assets as collateral.” The Fed said in its announcement that it “is closely monitoring conditions across the financial system and is prepared to use its full range of tools to support households and businesses, and will take additional steps as appropriate.”