InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
First Circuit Holds Bank May Be Liable For Customer Losses from Cyber Attacks
On July 3, the U.S. Court of Appeals for the First Circuit became the first federal appellate court to address the issue of bank liability for the loss of customer funds resulting from a breach of a bank’s cyber security, reversing a district court’s holding that the bank was not liable for such losses because its security protections were commercially reasonable. Patco Const. Co., Inc. v. People’s United Bank, No. 11-2031, 2012 WL 2543057 (1st Cir. Jul. 3, 2012). Patco Construction Company, a commercial banking customer suffered losses when cyber attackers gained electronic access to its account and made a series of unauthorized withdrawals. The customer sued the bank to recover the lost funds. The district court granted summary judgment in favor of the bank, holding that the customer should bear the loss from the fraudulent transfers because the bank’s cyber security protections were commercially reasonable, and the customer agreed that the procedures were reasonable when it signed the contract to add its electronic account. On appeal the customer argued that the procedures were not commercially reasonable, that it did not agree to the procedures, and that the bank did not comply with its own procedures. Specifically, the customer argued that the bank increased the risk of compromised security when it decided to lower the threshold that triggered account verification questions from $100,000 to $1, essentially requiring that the verification questions be answered for every transaction without considering the circumstances of the customer and the transaction. The First Circuit agreed. It found that the procedure change increased the risk of fraud through unauthorized use of compromised security answers. Moreover, after it had warning that fraud was likely occurring, the bank did not monitor the transaction or provide notice to the customer. The court held that the bank’s collective security failures, when compared to the security measures employed by other financial institutions and the bank’s capacity to implement more robust protections, rendered its security procedures commercially unreasonable. The court reversed the district court’s ruling in favor of the bank and remanded for further proceedings.
NIST Proposes Update To Mobile Device Security Guidelines
On July 11, the National Institute of Standards and Technology released a proposed update to its guidelines for securing mobile devices. Originally published as Guidelines on Cell Phone and PDA Security, the proposed Guidelines for Managing and Securing Mobile Devices in the Enterprise offer new recommendations for devices used by the federal government. The draft guideline provide recommendations for developing centralized device management systems, with specific guidance related to (i) developing system threat models, (ii) establishing mobile device security policies, and (iii) implementing and testing prototype mobile device solutions, among other topics.
Mobile App Developer Agrees to Stop Collecting and Using Children's Data in Settlement
On June 27, the New Jersey Attorney Generals office announced a consent decree and injunction against 24x7digital LLC, a mobile app company, settling charges under the Childrens Online Privacy Protection Act (COPPA). The company created a series of apps for children in preschool through second grade that encouraged children to provide their first and last names and photos for personal profiles. Under the settlement, the company agreed to stop collecting, using, and disclosing childrens personal information without verifiable parental consent. The company also agreed to provide direct notice to parents of the types of information it collects and what it does with that information.
FTC Sues Hotel Corporation and Subsidiaries Over Data Protection Practices
On June 26, the FTC filed a complaint in the U.S. District Court for the District of Arizona alleging that Wyndham Worldwide Corporation (and several of its subsidiaries) violated the FTC Act by misrepresenting the adequacy of their data security procedures. The FTC specifically maintains that Wyndham and its subsidiaries engaged in unfair and deceptive practices when they represented on their website that they maintained measures adequate to protect customers’ personal information. In truth, the FTC alleges, Wyndham failed to maintain such protections. According to the FTC, the companies’ lack of reasonable data security allowed intruders to obtain unauthorized access to that information on three separate occasions. These breaches purportedly resulted in more than $10.6 million in fraud loss and the export—to a foreign-registered domain—of payment card account information for hundreds of thousands of consumers.
State Law Update: NAAG to Focus on Privacy; Vermont, Connecticut, Oklahoma Make E-Commerce Changes
Incoming NAAG President to Focus on Privacy Issues. On June 22, after being elected president of the National Association of State Attorneys General (NAAG), Maryland Attorney General Doug Gansler announced a year-long Presidential Initiative titled “Privacy in the Digital Age.” The Initiative will explore the best ways to manage consumer privacy risks in light of “emerging technologies and business models” that are challenging consumers’ ability to control their personal information. Through the Initiative, state Attorneys General will attempt to ensure that “the Internet’s major players protect online privacy and provide meaningful options for privacy control” to consumers.
Two States Expand Data Breach Notification Requirements. Recently, Connecticut and Vermont altered state requirements for firms experiencing a data breach to report the breach. Connecticut’s revision – in the state’s annual budget bill, House Bill 6001 – expanded existing breach notification provisions to include notification to the state attorney general and takes effect October 1, 2012. Vermont amended, in House Bill 254, its breach notice law to require consumer notice of a security breach within 45 days and notification to the attorney general within 14 days of discovery of the incident. The Vermont requirement was effective as of May 8, 2012.
Oklahoma High Court Approves Rules for Electronic Filing and Signatures. On June 21, the Supreme Court of Oklahoma issued new state court rules governing the electronic filing of court documents in that state. These rules apply to a new statewide electronic management system that will replace the mix of electronic and paper-based record systems previously used in Oklahoma. Among other things, the rules provide for the use of electronic signatures where any statute or court rule requires a person’s signature in an Oklahoma state court. Like the new electronic system, the new rules will be phased in gradually; they become effective in each district and appellate court at the time the Oklahoma Unified Case Management System is implemented in that court.
NTIA Announces First Privacy Stakeholder Meeting
On June 15, the National Telecommunications and Information Administration (NTIA) announced that the first meeting of a privacy multistakeholder process will be held on July 12, 2012. The meeting is the first in a series intended to produce a code of conduct that will provide transparency in the handling of personal data by mobile application and services companies. The multistakeholder process derives from the White House’s Privacy Blueprint released in February 2012, which set forth a Consumer Privacy Bill of Rights and designed the multistakeholder process to develop legally enforceable codes of conduct across diverse business contexts.
NIST Publishes Cloud Computing Guidance
Recently, the National Institute of Standards and Technology (NIST) published a document entitled Cloud Computing Synopsis and Recommendations, which (i) reprises NISTs definition of cloud computing, (ii) describes cloud computing benefits and open issues, (iii) presents an overview of the major classes of cloud technology, and (iv) provides guidance for organizations assessing cloud computing risks and opportunities. The NIST publication presents a range of factors to be considered as part of the overall business decision to employ cloud technology, including security issues related to data confidentiality and integrity. Although developed for use by federal agencies, the NIST report may influence policy decisions and may be a useful resource for private firms seeking to understand the benefits and risks of cloud technology.
Fannie Mae and Freddie Mac Update Servicing Requirements
On June 13, Freddie Mac published Bulletin 2012-13, which updates multiple servicing requirements in the Single-Family Seller/Servicer Guide. With regard to the state foreclosure timeline, the Bulletin (i) adds several circumstances in which the timeline will be extended for all foreclosure sales completed on or after January 1, 2012, (ii) revises the calculation for compensatory fees associated with exceeding a state foreclosure timeline, and (iii) alters the compensatory fee appeal process. With regard to certain operational procedures, the Bulletin (i) adds a time frame for reimbursement of taxes that were incurred and paid to a taxing authority for non-real estate owned expenses, (ii) allows wire transfers for REO-related remittances, and (iii) clarifies the time frame for submitting modification agreements to document custodians. The Bulletin also makes changes to the Guide related to unemployment forbearance, the quality right party contract performance standard, fraud prevention and reporting, and MERS Rule 14.
Also on June 13, Fannie Mae published Announcement SVC-2012-10, which updates its notice of data breach and incident response policy to require servicers to provide written notice to Fannie Mae of a data breach in addition to any reporting to consumers or state authorities required under applicable state law. A servicer also must request permission to use Fannie Mae’s name if it intends to refer to Fannie Mae in any notices sent to affected borrowers or regulatory agencies. On the same day, Fannie Mae also published Announcement SVC-2012-11, which updates and clarifies for all mortgages with a foreclosure sale date on or after January 1, 2012, (i) the maximum allowable foreclosure time frames for twelve jurisdictions, (ii) compensatory fee assessments and appeals, and (iii) the preferred method of foreclosure in Montana and Nebraska.
FTC Settles FCRA Charges Against Data Broker
On June 12, the FTC announced that a data broker agreed to settle charges that it marketed and sold consumer profiles to companies engaged in human resources, background screening, and recruiting without taking steps to protect consumer information as required by FCRA. The FTC claimed that the data broker operated as a consumer reporting agency and violated FCRA when it failed to ensure that the information it compiled and sold would be used only for permissible purposes. The broker also allegedly failed to ensure that consumer information it sold was accurate and failed to inform buyers of their FCRA obligations. Among other things, the settlement requires the data broker to pay an $800,000 civil penalty and prohibits the firm from any future violations of FCRA.
FTC Settles Privacy, Data Security Charges Based On Peer-to-Peer File Sharing Against Two Firms
On June 7, the FTC announced two new cases (and simultaneous settlements), one against a debt collector and the other against an auto dealer, alleging privacy and data violations based on the use of peer-to-peer file sharing software. In both cases, the FTC claims that the firms allowed file-sharing software to be installed on company computers, thereby allowing files containing personal customer information to be accessed by any other person using a networked computer. Both companies, according to the FTC, (i) did not have adequate security plans, (ii) did not use reasonable measures to enforce compliance with existing security policies, (iii) did not adequately train employees, (iv) did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks, and (v) failed to assess risk to consumers. For the debt collector, the FTC alleges that the failures constituted an unfair act or practice in violation of the FTC Act. The FTC claims that the auto dealer also violated the FTC Act and, for the first time, charges an auto dealer with violations of certain Gramm-Leach-Bliley (GLB) Act rules. The settlement orders with both companies bar misrepresentations regarding the privacy, security, confidentiality, and integrity of any personal information and require that the firms establish comprehensive information security programs that will be audited every other year for 20 years. The auto dealer also is barred from violating the GLB rules at issue.