InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Acting FTC Chairman Ohlhausen Welcomes New FCC Approach to Internet Openness
On May 18, Acting FTC Chairman Maureen Ohlhausen issued a statement on the FCC’s publication of a Notice of Proposed Rulemaking (NPRM) to “reinstate a light-touch regulatory approach protecting Internet openness.” The Notice proposes the following actions: (i) returning to the framework under Title I of the Communications Act instead of following Title II regulatory guidance; (ii) classifying mobile broadband Internet access service as “private mobile service”; and (iii) eliminating Title II’s “vague and expansive” Internet conduct standard, thus eliminating regulatory uncertainty. “I welcome the adoption of this NPRM as further progress toward restoring the FTC’s ability to protect broadband subscribers from unfair and deceptive practices, including violations of their privacy. Those consumer protections were an unfortunate casualty of the FCC’s 2015 decision to subject broadband to utility-style regulation. This new proceeding offers an opportunity to undo that decision and thereby return broadband consumers to the expert protection of the FTC,” stated Chairman Ohlhausen.
House Passes Cyber Crime Bill
On May 16, the U.S. House of Representatives officially approved the Strengthening State and Local Cyber Crime Fighting Act of 2017 (H.R. 1616) in a vote of 408-3. The Act would amend the Homeland Security Act of 2012 to formalize the Secret Service’s National Computer Forensic Institute’s (NCFI) responsibilities for coordinating investigations into cyberattacks and hacks and would provide training and tools for state and local agencies dealing with electronic crime related threats. In an April press release issued by the bill’s sponsor, Rep. John Ratcliffe (R-Tex.), Chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, stated, “The [NCFI] has played a major role in equipping state and local law enforcement officers across the country with the tools they need to address the extra layers of complexity presented by the growing incidences of cybercrime,” Notably, the legislation, which now heads to the Senate, follows the recent international cyberattack that infected computer systems globally with the WannaCry ransomware (see previous InfoBytes coverage here).
Ransomware Attack Has Global Impact, Bipartisan Legislation Introduced to Counter Hacking
On May 12, a cyberattack spread around the world, affecting more than 230,000 computers in roughly 150 countries, according to a statement issued by the American Bankers Association. The ransomware, known as “WannaCry,” was used to exploit a vulnerability that affects computers running Microsoft Windows (see Department of Homeland Security Alert). Users of infected computers received a message that their files had been encrypted and that they must pay a ransom in bitcoin in order to decrypt their files. However, as conveyed in a press release issued by the Financial Services - Information Sharing and Analysis Center (FS-ISAC), it appears that the majority of the attacks seem to be targeting and impacting non-financial sector entities globally. FS-ISAC “believes the current attacks utilize known vulnerabilities for which there are available software patches,” but that firms and service providers need to implement the patches. Agencies continue to monitor what may be the first in a series of attacks.
SEC Office of Compliance and Examinations (OCIE) and FBI Issue Responses. The OCIE released a statement cautioning registrants to be vigilant in mitigating risk, and noted a recent OCIE study that determined a substantial number of registrants did not conduct periodic risk assessments, penetration tests, or vulnerability scans, while a smaller number had not updated critical security patches. The OCIE also provided links to guidance on cybersecurity risk management. Likewise, the FBI issued a bulletin providing guidance on additional protection measures following the attack.
Bipartisan Legislation Introduced. On May 17, bipartisan legislation was introduced in the House and Senate to add transparency and accountability to the federal government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems. The bill, Protecting our Ability To Counter Hacking (PATCH) Act, follows the apparently leaked NSA hacking tool which opened the door to the global “WannaCry” ransomware attack. It is sponsored by Senators Brian Schatz (D-Haw.), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.), and Representatives Ted Lieu (D-Cal.) and Blake Farenthold (R-Tex.). As described in a release issued by Sen. Schatz’s office, the proposed legislation would make the Vulnerabilities Equities Process (VEP) more permanent, while altering its structure. It would also make the Department of Homeland Security the chair of the interagency board overseeing the VEP. Under the bill, the NSA and other security agencies would still be a permanent part of the board, while other agencies and the White House's National Security Council could attend meetings if the board deems it necessary. The established board would also produce a report for Congress on the policies it establishes regarding the disclosure of vulnerabilities no later than 180 days after the enactment of the Act. An unclassified version of the report will be publicly available as well. “Striking the balance between U.S. national security and general cybersecurity is critical, but it's not easy,” Sen. Schatz noted. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
Coalition for Cybersecurity Policy and Law. The legislation has already received support. The Coalition issued the following statement in support of the proposed bill: “We support the goals of the PATCH Act and we look forward to working with Chairman Johnson, Senators Schatz and Gardner, and Reps. Lieu and Farenthold as it moves forward in both chambers. The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery.”
FTC, Federal, State, and International Partners Announce Crackdown on Tech Support Scams
On May 12, the FTC, along with federal, state and international law enforcement partners, announced new enforcement actions in its “Operation Tech Trap” program. The program is designed to crack down on tech support scams that, among other things, deceive consumers into believing their computers are infected with viruses and malware and then charge them for unnecessary repairs. According to FTC, its Operation Tech Trap partners have brought 29 law enforcement actions against deceptive tech support operations in the last year. Among the four new complaints announced on May 12, the FTC has already been granted temporary restraining orders in three of the cases to stop the tech support companies’ deceptive practices, freeze their assets, and appoint a temporary receiver to take control of them.
The FTC also announced a settlement in a pending action brought by the FTC and the Attorneys General of Connecticut and Pennsylvania against two defendants who allegedly participated in deceptive acts and practices in connection with the advertising, marketing, and sale of computer security or technical support products and services. Under the terms of the settlement, the defendants are subject to a money judgment in excess of $27 million. The stipulated final order has been entered by the U.S. District Court for the Eastern District of Pennsylvania. In addition to the FTC and state cases, DOJ brought federal criminal charges against seven individuals, two of whom have entered guilty pleas, for their participation in an international “Tech Support Scam.” Moreover, with respect to its international efforts, Operation Tech Trap is working with authorities in India to crack down on tech support scammers, and have also instituted consumer and business education outreach initiatives with Australia and Canada.
FTC Launches New Website for Small Businesses, Provides Resources to Avoid Scams and Cyberattacks
On May 9, the FTC announced the launch of its new website—ftc.gov/SmallBusiness—designed to provide useful information so small businesses can protect their networks and customer data from scams and cyberattacks. The website offers specific guidance such as the Small Business Computer Security Basics guide, which shares computer security basics to help companies: (i) protect their files and devices; (ii) train employees to think twice before sharing the business’s account information; (iii) keep their wireless networks protected; and (iv) respond to data breaches. Information on other cyber threats such as ransomware and phishing schemes that target small businesses is also provided. According to the FTC, the U.S. Small Business Administration reports that “there are more than 28 million small businesses nationwide” that are at risk, many of which lack the resources larger companies have to spend on cybersecurity. Further, the FTC noted that Symantec Corp. found that “the percentage of spear-phishing attacks targeting small business rose dramatically from 18 percent to 43 percent between 2011 and 2015.”
Legislation Proposed to Require Study on Homeowners’ Privacy of Collected HMDA Information
On April 27, Reps. Randy Hultgren (R-Ill.) and Andy Barr (R-Ky.) reintroduced legislation to “protect against the misuse of consumers’ sensitive financial information” collected under the Home Mortgage Disclosure Act (HMDA). According to a May 5 press release issued by Rep. Hultgren’s office, the Homeowner Information Privacy Protection Act (H.R. 2204) would require the Comptroller General of the United States to conduct a study to determine whether the data required to be published, made available, or disclosed under HMDA could result in: (i) exposing the mortgagor’s or applicant’s identity; (ii) exposing the mortgagor or applicant to identity theft or loss of personal, sensitive information; (iii) marketing or selling unfair, deceptive, or abusive financial products based on such information; (iv) personal financial loss or emotional distress resulting from the exposure to identify theft or the loss of sensitive personal financial information; and (v) “the potential legal liability facing the Bureau and market participants in the event the data required to be published, made available, or disclosed under the final rule leads or contributes to identity theft or the capture of sensitive personal financial information.” The bill further provides that the Comptroller will submit reports detailing the findings and conclusions as well as any recommendations for legislative and regulatory actions to the Committee on Financial Services of the House of Representatives and the Committee on Banking, Housing, and Urban Affairs of the Senate. In addition, the bill proposes to delay the effective date of the new reporting requirements set forth in the 2015 HMDA rule to January 1, 2019.
As previously covered in InfoBytes Special Alerts (see here and here), the CFPB has proposed amendments to the 2015 HMDA rule, which clarifies the collection and reporting requirements for several data points, among other things.
President Issues Executive Order Directing Agencies to Focus on Cybersecurity
On May 11, the Trump Administration issued an Executive Order, directing federal agencies to increase their efforts to mitigate cyber risks. The order, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” mandates that agencies follow the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk. Among other things, the EO tasks agency heads with submitting a risk management report to the Department of Homeland Security and the OMB within 90 days. In addition, the order also directs defense agencies, the office of the Attorney General and the FBI, to provide the White House with recommendations on how to improve cybersecurity standards among critical infrastructure industries. Notably, the EO includes the financial services industry in its list of critical infrastructure industries. The report is due in 180 days.
Second Circuit Holds Purported Class Action Plaintiff Failed to Establish Article III Standing in Data Breach Case
In a summary order handed down May 2, the Second Circuit Court of Appeals held that a plaintiff in a purported class action lacked Article III standing to bring claims against a retailer for breach of an implied contract and for violation of New York General Business Law § 349 arising out of a data breach of the retailer’s systems. See Whalen v. Michaels Stores, Inc., __ Fed. App’x __, Nos. 16-260, 16-352 (2d Cir. May 2, 2017). The consumer-plaintiff had made purchases with her credit card at one of the defendant’s stores, and following the data breach, her credit card was physically presented to pay for two unauthorized charges in Ecuador. The fraudulent charges occurred on consecutive days, with the plaintiff canceling her card on the same day as the second charge. The defendant offered 12 months’ credit monitoring and there was no indication that personally identifying information such as plaintiff’s date of birth or social security number was stolen. Plaintiff argued that she was injured by: (i) the theft of her credit card information and the two fraudulent-purchase attempts, (ii) the risk of future identity fraud, and (iii) the time and money she spent resolving the attempted fraudulent charges and monitoring her credit.
Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the court concluded that plaintiff did not allege a concrete and particularized injury sufficient to confer Article III standing. As to plaintiff’s first argument, the Court reasoned that she was never “asked to pay, nor did pay, any fraudulent charge.” As to the second argument, the Court stated that there was no threat of future fraud because the plaintiff’s stolen credit card was “promptly canceled,” and “no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” The third argument was likewise inadequate because the plaintiff “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”
The court also noted that these shortcomings distinguished the plaintiff from plaintiffs in other data breach cases held to have adequately established Article III standing. See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x 384 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015).
FBI Issues PSA on Social Engineering Scams
On May 4, the FBI’s Internet Crime Complaint Center released a public service announcement (I-050417-PSA) citing losses to U.S. businesses of nearly $1.6 billion due to social engineering wire transfer and other payment scams between October 2013 and December 2016, with approximately one fifth of the losses coming in the last seven months of 2016. The FBI defines the crime as Business E-mail Compromise (BEC), a sophisticated scam targeting businesses that regularly perform wire transfer payments and/or work with foreign suppliers, and often specifically involves E-mail Account Compromise (EAC) of individuals that perform wire transfer payments. Victims range from small businesses to large corporations and deal in a wide variety of goods and services. According to the FBI, the five main BEC/EAC scam scenarios are: (i) a business working with a longstanding or trusted foreign supplier, where a perpetrator may impersonate the supplier and seek a change in payment instructions by e-mail, phone or fax; (ii) a high-level business executive whose e-mail account is compromised receiving or initiating a request for a wire transfer; (iii) a third party business contact receiving fraudulent correspondence, such as requests for invoice payment, through a compromised email account; (iv) impersonation of a business executive or attorney; and (v) data theft. The FBI also cites 2016 trends including a 480 percent increase in complaints filed by title companies targeted by scammers as part of a real estate transaction, a 50 percent increase in complaints filed by businesses working with dedicated foreign suppliers, and a large increase in W-2 and PII phishing occurring during the 2016 tax season.
American Bankers Association Argues for “Strong, Consistent” National Data Protection Standard
In a May 8 letter to Congress, the American Bankers Association (ABA) called on Congress to pursue national data protection standards for companies that handle consumers’ sensitive financial data. The letter notes that the financial sector has an excellent track record in protecting consumer data, citing data from the Identity Theft Resource Center indicating that only 0.2% of records exposed in data breaches were attributable to the financial sector, as opposed to the 81.3% of records exposed at businesses included retail, adding that the industry is highly motivated and under constant oversight to ensure that Federal privacy and data protection laws such as the Gramm-Leach-Bliley Act are followed. On the other hand, the ABA notes, other industries are not required to protect consumer data under Federal law and have strongly opposed legislation that would add such requirements. The association concludes that a “strong, consistent national standard for fighting data breaches” is necessary to create a “security infrastructure that brings banks, payment networks and retailers together to safeguard sensitive financial data.”