Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social media companies. The investigation, which was requested by New York Governor Andrew Cuomo, determined, among other things, that (i) the social media hackers obtained log-in credentials from four employees by pretending to be from the company’s IT department; (ii) the hackers stole over $118,000 worth of bitcoin from consumers by tweeting “double your bitcoin” with a link to send bitcoin payments from celebrity accounts and several bitcoin companies; (iii) certain Department-regulated cryptocurrency companies blocked attempted transfers to the hacker’s addresses; and (iv) the social media company lacked adequate cybersecurity protection, including not having “a chief information security officer, adequate access controls and identity management, and adequate security monitoring.” The report recommends that the largest social media companies be designated as “systemically important institutions” subject to an analogue council of the Financial Stability Oversight Council. The report suggests the social media companies should be subject to enhanced regulation, including “stress test” scenarios covering cyberattacks and election interference.
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
On October 13, the member nations of the G7 issued a joint statement stressing their commitment to working with the financial services sector to address and mitigate ransomware attacks. The statement highlights the recent increase in ransomware attacks over the last few years and notes that the scale, sophistication, and frequency has intensified as attackers “demand payments primarily in virtual assets to facilitate money laundering.” These ransom payments, the G7 warns, “can incentivize further malicious cyber activity; benefit malign actors and fund illicit activities; and present a risk of money laundering, terrorist financing, and proliferation financing, and other illicit financial activity.” The G7 reminds financial institutions that paying ransom is subject to anti-money laundering/combating the financing of terrorism (AML/CFT) laws and regulations, and warns non-financial services companies that providing certain services, such as money transfers, may subject them to the same obligations. The G7 further urges entities to follow international obligations for reporting ransom payments as suspicious activity and to take measures to prevent sanctions evasions. Moreover, the G7 recommends that entities implement standards set by the Financial Action Task Force to reduce criminals’ access to and use of financial services and digital assets, and emphasizes the importance of implementing effective programs to “hold and exchange information about the originators and beneficiaries of virtual asset transfers.” The G7 plans to share information related to ransomware threats, explore opportunities for coordinated targeted financial sanctions, and encourage a global implementation of AML/CFT obligations on virtual assets and virtual asset service providers.
On October 13, the Conference of State Bank Supervisors (CSBS), joined by the Bankers Electronic Crimes Task Force and the U.S. Secret Service, released a self-assessment tool to help supervised financial institutions mitigate the risk of ransomware attacks. The tool will also help financial institutions assess how well they are managing risks and identify gaps for increasing security. CSBS developed the tool in conjunction with the U.S. Secret Service and the Bankers Electronic Crimes Task Force as incidents of ransomware have been on the rise and continue to spread.
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According to the states, cyber attackers infiltrated the company’s systems using malware installed through a phishing email. The data breach resulted in the exposure of consumers’ social security numbers, birthdays, and other personal data. Under the terms of the settlement, the health insurer must pay $39.5 million in penalties and fees, and is required to (i) not misrepresent the extent of its privacy and security protections; (ii) implement a comprehensive information security program, including “regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO”; (iii) implement specific security requirements, including “anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training”; and (iv) schedule third-party assessments and audits for three years.
Separately, the California AG reached a $8.69 million settlement, subject to court approval, in a parallel investigation, which requires the health insurer to, among other things, implement changes to its information security program and fix vulnerabilities to prevent future data breaches.
Previously in 2018, the health insurer reached a $115 million class action settlement, which provided for two years of credit monitoring, reimbursement of out-of-pocket costs related to the breach, and alternative cash payment for credit monitoring services already obtained (covered by InfoBytes here).
On September 29, the California governor signed AB 1281, which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, and provides consumers several rights regarding their personal information that is held by a business. Specifically, the exemptions at issue in AB 1281 apply to “information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified.” The exemptions also apply to certain personal information used in communications or transactions between a business and a consumer if the “consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” However, the act will only take effect if a ballot proposition does not pass during the November statewide general election.
On September 28, the Rhode Island Department of Business Regulation, Banking Division, extended previous guidance (previously covered here and here) issued to mortgage loan originators, lenders, loan brokers, and exempt company registrants. The guidance permits working from home, even if the home is located outside of Rhode Island or is not a licensed branch, so long as specified data security provisions are met. The department extended this guidance until December 31, 2020.
California AG, former FTC chairs argue about federal privacy law preemption during Senate committee hearing
On September 23, the Senate Committee on Commerce, Science, and Transportation held a hearing titled, “Revisiting the Need for Federal Data Privacy Legislation.” The hearing examined the current state of consumer data privacy and legislative efforts to provide baseline data protections for American consumers, and examined the lessons learned from the EU’s Global Data Protection Regulation (GDPR) and recently enacted state privacy laws. Witnesses included a number of former chairs and commissioners of the FTC, along with California Attorney General Xavier Becerra.
Becerra discussed the California Consumer Privacy Act (CCPA), which sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information, and provides California residents several rights, including the right to know what data companies have collected on them and the right to ask to delete data or opt-out of its sale. (See continuing InfoBytes coverage on the CCPA here.) Concerning future federal privacy legislation, Becerra stressed that any such legislation should not preempt the work happening at the state level, and he urged the Committee “to favor legislation that sets a federal privacy-protection floor rather than a ceiling,” in order to allow states the opportunity to provide tailored protections for their residents. Becerra also stressed that the ideal federal legal framework would “recognize that privacy protections must keep pace with innovation,” and further addressed the need for a meaningful enforcement regime that respects the work undertaken by the states.
Former FTC chairs Jon Leibowitz and Maureen Ohlhausen, however, argued (see here and here) in favor of federal preemption. They suggested that a single national comprehensive privacy standard would be stronger and more comprehensive than existing regimes such as the CCPA and GDPR, and could better serve consumers even if it replaces state regulations. Both stressed that preempting state laws should not mean weakening protections for consumers. Moreover, both Leibowitz and Ohlhausen emphasized that federal privacy legislation should be technology- and industry-neutral, with rigorous standards backed by tough enforcement. Leibowitz also urged Congress to provide the FTC with the ability to impose civil penalties on violators for first-time offenses, and recommended that the FTC be granted the primary authority to administer the law and be given continued authority to provide redress directly to consumers. Former chair William Kovacic presented a different approach, which would establish a domestic privacy network to promote cooperation and coordination between federal and state privacy regulators to improve policy formation.
Other topics covered in the hearing included Chairman Roger Wicker’s (R-MS) recently introduced bill (S. 4626), known as the SAFE DATA Act, which would require businesses to be more transparent about their data collection, processing, and transfer activities, and give consumers more choices and control over their data. Among other things, the bill would preempt privacy laws in California and other states, except in regard to data breaches, and would not include a private right of action allowing consumers to sue over privacy violations.
On September 23, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here, here, here and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order to satisfy the department guidance. The guidance also provides that the department will expedite and waive fees for change of address applications in the event that a licensed location is compromised by Covid-19 or is undergoing decontamination. The guidance was extended through October 31, 2020.
On September 23, the Oklahoma Department of Consumer Credit extended, for the fourth time, its interim guidance to regulated entities on working from home (see here, here, here, and here for previous coverage). The guidance sets forth data security standards for regulated entities with employees working from home and also provides that the department will expedite and waive fees for change of address applications in the event that a licensed location is compromised by Covid-19 or is undergoing decontamination. The guidance was extended through October 31, 2020.
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar
- Daniel P Stipano to moderate "Digital identity: The next gen of CIP" at the American Bankers Association/American Bar Association Financial Crimes Enforcement Conference