InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out
On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.
On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.
SEC Announces Two Enforcement Initiatives Designed to Combat Cyber Threats
On September 25, the SEC announced the expansion of its Enforcement Division’s focus on cyber-related misconduct with the creation of a Cyber Unit and a Retail Strategy Task Force. The Cyber Unit will focus on areas such as (i) market manipulation schemes involving electronically-transferred false information; (ii) data breaches intended to obtain nonpublic information; (iii) distributed ledger technology and initial coin offering violations; (iv) misconduct through the use of the dark web; (v) retail brokerage account intrusions; and (vi) cyber-related threats targeting trading platforms and other critical market infrastructures. The Cyber Unit will complement the SEC’s internal assessment of its cybersecurity risk profile. (See previous InfoBytes coverage here.) The goal of the Retail Strategy Task Force will be to “develop proactive, targeted initiatives to identify misconduct impacting retail investors [and] apply the lessons learned from those cases and leverage data analytics and technology to identify large-scale misconduct affecting retail investors.”
SEC Chairman Releases Statement Discussing Internal Cybersecurity Assessment, Announces EDGAR Vulnerability May Have Led to Illicit Gain
On September 20, the SEC released a statement issued by Chairman Jay Clayton regarding the Commission’s approach to cybersecurity and its impact on market participants. Topics discussed in the statement, which is part of the SEC’s ongoing assessment of its cybersecurity risk profile, include:
- the collection and use of data by the SEC;
- the management of, and responses to, internal cybersecurity risks;
- the integration and incorporation of cybersecurity considerations into the SEC’s supervision of regulated entities;
- coordinated efforts with other regulations to identify and mitigate risk; and
- oversight and enforcement efforts related to cybersecurity activities.
The Chairman also discussed the SEC’s discovery in August that a 2016 security incident involving a software vulnerability within the Commission’s EDGAR system “may have provided the basis for illicit gain through trading” by providing access to nonpublic information. However, the SEC also stated its belief that “the intrusion did not result in the unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” According to the SEC, the vulnerability was patched promptly after discovery, and the SEC commenced an internal investigation, which is ongoing.
Chairman Clayton is scheduled to testify before the Senate Banking Committee on September 26 at a hearing titled, “Oversight of the U.S. Securities and Exchange Commission.”
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.
Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
***
Click here to read full special alert.If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
OFAC Imposes Additional Iranian Sanctions, List Includes Entities Involved in DDoS Attacks Against U.S. Financial Institutions
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced it was imposing sanctions on 11 entities and individuals for supporting designated Iranian actors or for conducting malicious cyberattacks, including engaging in a series of distributed denial of service (DDoS) attacks against approximately 46 U.S. financial institutions. As reported in an indictment delivered by a federal grand jury in the Southern District of New York (see March 24, 2016 DOJ press release), the DDoS attacks—allegedly conducted by seven Iranian individuals between December 2011 and mid-2013—denied customers access to online bank accounts and collectively cost the affected financial institutions “tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their [computer] servers.” During a DDoS attack, a “malicious actor” gains remote control of a server through the installation of malicious software. Once compromised, the “malicious actor” can collect hundreds or thousands of these compromised devices (collectively known as a “botnet”), and, once control is achieved, will “direct the computers or servers comprising the botnet to carry out computer network attack[s] and computer network exploitation activity.” Three of the seven sanctioned individuals worked for a company that was added to OFAC’s updated SDN list on September 14 and oversaw a network of compromised computers that powered DDoS attacks. The other four individuals operated a second DDoS botnet on behalf of a different company listed on OFAC’s non-SDN list. Both Iranian-based private computer security companies perform work on behalf of the Iranian Government, including Iran’s Islamic Revolutionary Guard Corps. Pursuant to E.O. 13694, U.S. persons are prohibited from dealing with the designated entities and individuals, and “foreign financial institutions that facilitate significant transactions for, or persons that provide material or certain other support to, the entities and individuals designated today risk exposure to sanctions that could sever their access to the U.S. financial system or block their property and interests in property under U.S. jurisdiction.”
In addition, pursuant to E.O. 13382, OFAC sanctioned an Iranian-based engineering company for engaging in activities related to Iran’s ballistic missile program, which include providing “ financial, material, technological, or other support for, or goods or services in support of, the [Islamic Revolutionary Guard Corps].” Two Ukrainian-based companies were also sanctioned pursuant to E.O. 13224 for assisting previously sanctioned Iranian and Iraqi airlines in obtaining U.S.-origin aircraft, as well as crew and services.Senate Banking Committee’s Fintech Hearing Discusses Regulatory Challenges and Innovation Risks
On September 12, the full Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Examining the Fintech Landscape” to discuss topics concerning fintech innovation and the regulatory landscape. Committee Chairman Mike Crapo (R-Idaho) opened the hearing by asserting that while fintech firms provide “new and innovative products and services in areas such as marketplace lending, digital payments and currencies, wealth management, insurance and more . . . [u]ncertainty remains around questions like data security and the proper regulatory treatment to ensure consumers and the financial system are safeguarded.” Sen. Crapo said that he welcomes the opportunity to learn more about fintech innovations, the impact on the financial system, and the current regulatory approach to this sector.
Sen. Sherrod Brown (D-Ohio), ranking member of the Committee, also released an opening statement in which he called for the need to “improve federal oversight of data collection and data security,” especially in light of the recent credit reporting data breach. (See previous InfoBytes summary here.) Sen. Brown noted that he is interested in understanding “how Congress can encourage fintech innovation to make it easier for community banks to serve their customers, comply with important safety and soundness and anti-money laundering rules.”
The three witnesses offered numerous insights related to the fintech industry, including (i) the need to manage risk without stifling fintech innovation; (ii) the importance of creating consistent standards and a regulatory framework; (iii) the need to clearly outline the definition of fintech firms and digital lenders; (iv) challenges when using algorithms and alternative data to assess creditworthiness; and (v) concerns regarding state preemption in the fintech space. The witnesses also answered questions concerning the concept of utilizing a regulatory sandbox to allow fintech firms to operate on a limited basis to test new ideas, and offered support for an innovation office, which would help fintech firms and regulators understand the emerging landscape.
- Mr. Lawrance Evans, Director, Financial Markets, U.S. Government Accountability Office (testimony);
- Mr. Eric Turner, Research Analysis, S&P Global Market Intelligence (testimony); and
- Mr. Frank Pasquale, Professor of Law, University of Maryland Francis King Carey School of Law (testimony).
FTC Announces First EU-U.S. Privacy Shield Enforcement Actions Over False Certification Claims
On September 8, the FTC announced settlements with three companies over allegations that they falsely claimed certification to take part in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. These settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions. In July 2016, the EU finalized and adopted the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations. (See previous InfoBytes summary here.) In separate complaints, the FTC alleges that a human resources software company, a printing services company, and a company that manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield without having completed the certification process. According to the terms of the settlements as summarized in the FTC press release, the companies are all banned from “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.”
Legislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach
As previously reported in InfoBytes, a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative action. Senator Brian Schatz (D-Haw.) reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act to address these issues. In addition, two committees—the House Financial Services Committee and the House Energy and Commerce Committee—both announced plans to hold hearings on the breach (dates still to be released). Separately, Representative Ted Lieu (D-Cal.) sent a letter to the House Judiciary Committee requesting a hearing to investigate how and why the data breach occurred, and what measures can be taken to prevent future incidents.
At least two class action lawsuits have been filed—in Georgia and Oregon—as a result of the breach, and several state attorneys general, including New York Attorney General Eric T. Schneiderman, have launched investigations into the matter. The CFPB also released a blog post for consumers on ways to identify signs of fraud or identity theft.
Notably, on September 11, the agency issued an update for consumers announcing that “in response to consumer inquiries,” the arbitration clause and class action waiver included in its terms of use will not “apply to this cybersecurity incident.” The CFPB’s final arbitration rule, which prohibits the use of mandatory pre-disputer arbitration clauses, has been a point of considerable debate this summer, with the House voting to repeal the proposed rule and the Senate introducing a similar measure (see InfoBytes post here), while a coalition of state attorneys general have issued support for the proposed rule (see InfoBytes post here).
Credit Reporting Agency Announces Widespread Consumer Data Breach
On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.