InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security
On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”
According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.
The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.
NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28
On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
FTC Announces Agenda for Joint Conference on Protecting Military Consumers
On August 22, the FTC released the agenda for the Protecting Military Consumers: A Common Ground Conference to be held on September 7 in Los Angeles. As previously discussed in InfoBytes, the conference is geared towards military attorneys, law enforcement personnel, and consumer protection officials to provide training on consumer fraud and other issues affecting servicemembers and their families, and will be held in partnership with state and local authorities. Topics for discussion on the agenda include, among things:
- higher education;
- identity theft and imposter scams;
- real estate fraud;
- auto financing;
- debt collection;
- lending; and
- privacy issues such as data collection, storage, and sharing.
FTC Announces Settlement with Ride-Sharing Company Over Privacy Allegations
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.
National Insurance Company Settles States’ Investigation over 2012 Data Breach, Pays $5.5 Million in Settlement
On August 9, a national insurance company and its wholly-owned subsidiary reached a $5.5 million settlement with 32 states and the District of Columbia to resolve the states’ investigation into a 2012 data breach, which allegedly caused the personal information of certain consumers to be compromised—including social security and driver’s license numbers, as well as credit scoring information and other data. According to the states’ investigation, the October 2012 data breach occurred when hackers were able to exploit a vulnerability in the company’s website application hosting software. A security patch was later applied. Under the terms of the Assurance of Voluntary Compliance, the company agreed to a number of requirements, including:
- providing an online disclosure notifying consumers that personal information is retained even if they do not become insured;
- appointing an individual to oversee company security practices and manage and monitor software and application security updates, including security patch monitoring; and
- hiring an outside, independent provider to conduct a “patch management audit” of the company’s covered systems.
The majority of the requirements last three years.
The company, while admitting that it experienced a data breach, denied any liability or wrongdoing.
SEC Releases Risk Alert, IMF Issues White Paper on Cybersecurity Awareness
On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC examined 75 SEC registered firms as part of its Cybersecurity 2 Initiative and noted an improvement overall in terms of (i) creating and implementing cybersecurity policies and procedures and response plans; (ii) conducting periodic risk assessments to identify threats and vulnerabilities; (iii) implementing measures to ensure regular system maintenance checks; (iv) maintaining processes for identifying cybersecurity roles and responsibilities; (v) receiving authority from customers and shareholders concerning fund transfer authority; and (vi) conducting vendor risk assessments or requiring risk management from vendors. However, the SEC identified areas in need of improvement, such as failure to tailor or enforce policies and procedures or conduct adequate system maintenance to safeguard customer information. Also included in the alert are examples of best practices and guidance for firms to follow when implementing cybersecurity-related policies and procedures.
Separately, that same day the International Monetary Fund (IMF) released a working paper discussing cyber risk awareness and the policy measures, regulatory frameworks, and supervisory measures affecting financial institutions’ approaches to systemic cyber risk. The IMF paper, entitled “Cyber Risk, Market Failures, and Financial Stability,” presents an overview of recent cyberattacks on the financial services industry, and stresses that cyber risk management requires that risks identified as part of a threat identification process must be “actively managed” to “ensure that cybersecurity-related measures are appropriate for and commensurate with the underlying risk.” Risk avoidance, risk reduction, and risk transfer are options for effective management. The paper further notes that, as a result of a predominance of cyber risk assessment centering on individual institutions (which constructs a relatively narrow view), insufficient attention has been given to systemic cyber risk that occurs commonly when financial institutions are exposed to “access vulnerabilities, risk concentration, risk correlations, or contagion effects (including through reputational channels).” The paper states that a need exists for regulatory reform and effective policy change “to build resilience through investment in cyber security while giving institutions flexibility to address the risks in the way they see as optimal.” Suggestions for measures—including national and international coordination—to strengthen resilience to cyber risk are also provided.
NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines
On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.
FTC to Use Consumer Complaints to Help End Robocalls
On August 1, the FTC announced a new initiative to help stop the practice of illegal robocalls. According to the FTC, more than 1.9 million complaints regarding unwanted robocalls were received from January through May of this year, making it the FTC’s number one complaint category. Under the new initiative, using information received from consumer complaints, the FTC will release reported robocall phone numbers each day to telecommunications carriers and other industry partners currently implementing call-blocking solutions and will include information such as the date and time the call was received and the nature of the call. “The consumer complaint data is crucial because many of today’s call-blocking solutions rely on ‘blacklists’—databases of telephone numbers that have received significant consumer complaints—as one way to determine which calls should be blocked or flagged before they reach consumers’ phones,” the FTC stated.
FTC Approves Modifications to COPPA Safe Harbor Program
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.