InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC Releases Revised Proposed Privacy Rules for Broadband Providers
On October 6, the FCC issued a fact sheet on revised privacy rules related to broadband internet services. According to the fact sheet, the proposed rules “are designed to evolve with changing technologies and encourage innovation, and are in harmony with other key privacy frameworks and principles – including those outlined by the [FTC] and the Administration’s Consumer Privacy Bill of Rights.” The FCC first issued a set of privacy rules concerning consumer rights in relation to broadband internet service providers (ISPs) in March. In Chairman Tom Wheeler’s October 6 blog post regarding the recent revisions, he noted that the revised proposal “provide[s] consumers increased choice, transparency and security online.” The proposed rules, among other things, would require ISPs to (i) let consumers know the type of information they are collecting, specify how and the extent to which the information can be used and shared, and identify with whom the information is shared; (ii) obtain consumers’ opt-in consent to use sensitive information, including, among other things, geo-location, social security numbers, and web browsing history; and (iii) provide an opt-out option, consistent with customer expectations, for the use and sharing of non-sensitive information. Notably, the proposed rules “do not apply to the privacy practices of websites or apps, over which the [FTC] has authority…even when a website or app is owned by a broadband provider.” The Commission is scheduled to vote on the proposal on October 27.
Congress Considers Cybersecurity Bills
On September 21, the House approved HR 5064, the Improving Small Business Cyber Security Act. This bill envisions cooperation between the Department of Homeland Security (DHS) and the Small Business Administration to share cyber threat information and to provide cybersecurity consulting services through small business development centers. Although it was scheduled for debate, there was no action on HR 5459, the Cyber Preparedness Act of 2016. This legislation would rely on the National Cybersecurity and Communications Integration Center to share information about cybersecurity best practices, as well as cyber threat indicators and defensive measures with state, local, and regional officials.
Special Alert: NYDFS Stakes Claim on Cybersecurity Regulation
On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises."
Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.
The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.
Click here to view the full Special Alert.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- John P. Kromer, (202) 349-8040
- Elizabeth E. McGinn, (202) 349-7968
FFIEC Revises Information Security Booklet
On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”
FinCEN Issues Advisory on E-Mail Compromise Fraud Schemes
On September 6, FinCEN issued advisory bulletin FIN-2016-A003 notifying financial institutions of a growing number of e-mail compromise schemes, in which criminals misappropriate funds by deceiving financial institutions and their customers into conducting wire transfers. The advisory summarizes the three main stages of email compromise schemes, which involve impersonating victims to submit seemingly legitimate transactions instructions: (i) compromising victim information and e-mail accounts, whereby criminals access an e-mail account via social engineering or computer intrusion techniques; (ii) transmitting fraudulent transaction instructions, whereby criminals use stolen e-mail account information to send financial institutions fraudulent wire transfer instructions; and (iii) executing unauthorized transactions, whereby the fraudulent wire transfer instructions direct the financial institution to deposit the transfers to the criminals’ domestic or foreign banks. The advisory further warned of two prevalent email compromise schemes: i) Business E-mail Compromise (BEC), which targets commercial customers of financial institutions; and (ii) E-mail Account Compromise (EAC), which targets personal bank accounts. When conducting a BEC scheme, criminals will impersonate company employees, a company supplier, or a company executive to “authorize or order payment through seemingly legitimate internal e-mails.” EAC schemes, however, target individuals conducting large transactions through financial institutions, lending entities, real estate companies, and law firms. Developed in coordination with the FBI and the U.S. Secret Service, the advisory provides red flags for financial institutions to use to identify and prevent BEC and EAC e-mail fraud schemes.
FTC Announces Agenda for Consumer Disclosure Workshop
On September 15, the FTC will host a workshop titled “Putting Disclosures to the Test” to examine the effectiveness of consumer disclosures. Scheduled to take place in Washington, D.C., the full-day event will include an opening session devoted to how consumers process disclosures, and presentations on the following six topic areas: (i) methods and procedures for evaluating the effectiveness of disclosures; (ii) if and when consumers notice, read, or pay attention to disclosures; (iii) if consumers understand the information in disclosures; (iv) the impact of disclosures on consumers’ decisions and behavior; (v) case studies; and (vi) the future of disclosures, with emphasis on how to make them more efficient and effective. In addition to acknowledging the agency’s commitment to ensuring the use of effective, non-deceptive disclosures for advertisement purposes, the FTC highlighted the significance of effective disclosures in the privacy field and noted that it has “long encouraged the development and testing of shorter, clearer, easier-to-use privacy disclosures and consent mechanisms.”
FTC Announces Agenda for Ransomware Event
On September 7, the FTC will host its first in a series of events to look at emerging technologies raising consumer privacy and security concerns. Scheduled to take place in Washington, D.C., the first event will focus on ransomware, “one of the most challenging cybersecurity problems affecting consumers and businesses.” Panelists will discuss the scope and state of ransomware, the best defenses against it, and how victims should respond to hacker demands. The FTC will host the second and third events in the series on October 13 and December 7 with emphases on drones and smart TVs, respectively.
New York AG Schneiderman Announces $100,000 Settlement Over Data Security Practices
On August 5, New York AG Schneiderman announced that an online retailer will pay $100,000 in penalties to settle allegations that its weak security practices led to a data breach that potentially exposed more than 25,000 credit card numbers and cardholder data. According to AG Schneiderman, after a third party accessed the retailer’s website on August 7, 2014, a merchant bank notified the retailer on June 5, 2015 that customers’ credit card accounts were showing fraudulent charges. The retailer subsequently hired a company to conduct a forensic investigation, during which malware was found on and subsequently removed from the retailer’s website. AG Schneiderman contends that the retailer violated various sections of the New York State General Business Law by failing to notify its customers or law enforcement of the breach and by misrepresenting the safety and security of its website, also in breach of Executive Law § 63(12). In addition to the $100,000 penalty, the settlement requires that the retailer (i) conduct thorough and efficient investigations of future data security breaches; (ii) promptly notify New York law enforcement and affected customers of data security breaches; (iii) “maintain reasonable security policies and procedures designed to protect the personal information of consumers in accordance with New York State General Business laws”; (iv) remediate security vulnerabilities on its websites; and (v) train its employees with the most current data security practices.
FTC Determines Medical Testing Lab's Data Security Practices Unreasonable
On July 29, the FTC announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision to dismiss a 2013 FTC complaint against a Georgia-based medical testing laboratory (Respondent). In a 3-0 vote, the Commission determined that Respondent “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network and therefore that its data security practices were unfair under Section 5 of the [FTC] Act.” In reversing the Initial Decision, the Commission concluded that Respondent’s security practices lacked “even basic precautions” to protect consumers’ sensitive information by, among other things, failing to (i) “use an intrusion detection system or file integrity monitoring”; (ii) “monitor traffic coming across its firewalls”; (iii) provide adequate data security training to its employees, finding that “essentially no data security training” was provided; and (iv) delete “any of the consumer data it had collected.” According to the Commission, such failures led to the exposure of medical and other sensitive information for 9,300 consumers on a peer-to-peer (P2P) network to which millions of users had access. The Commission reasoned that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” further noting that Respondent’s practices were also “likely to cause substantial injury,” as reasonably interpreted under Section 5(n), because (i) they led to the exposure of consumers’ sensitive information to the millions of P2P users; and (ii) “Complaint Counsel’s expert witnesses identified a range of harms that can and do result from the unauthorized disclosure of consumers’ sensitive personal information of the type maintained by [Respondent] on its computer network.” The Commission’s Final Order requires that Respondent, among other things, establish “a comprehensive information security program,” give notice to those consumers and companies affected by the disclosure on the P2P network, and obtain periodic independent, third-party assessments regarding the implementation of the new security program. After service of the Commission’s Opinion and Final Order, Respondent has 60 days to file a petition for review with a U.S. Court of Appeals.
Department of Agriculture Requests Comments on Continuation of, and Changes to, Registration Form to Request Electronic Access Code Information
On July 22, the Federal Register published the U.S. Department of Agriculture’s (USDA) request for comments on the Office of the Chief Information Officer’s (OCIO) intent to “request approval for the continuation of and changes to the [USDA] Registration Form to Request Electronic Access Code information collection to allow USDA customers to securely and confidently share data and receive services electronically.” The USDA’s eAuthentication Service (eAuth) collects customer and employee information in order to provide “public citizens as well as federal government employees with a secure single sign-on capability for USDA applications, management of user credentials, and verification of identity, authorization and electronic signatures.” The online self-registration process and identity proofing service, which is voluntary, permits USDA customers and employees to access to USDA Web applications and services via the Internet. As it currently exists, the eAuth service allows customers to access USDA Web site portals through two Levels of Assurance (LOAs). LOA 1 provides limited access to portals and applications that have minimal security requirements. LOA 2 “enables users to conduct official electronic business transactions via the Internet, enter into a contract with the USDA, and submit forms electronically via the Internet to USDA agencies.” The OCIO is developing LOA 3, which, if authorized, would provide public citizens with accounts. LOA 3 would require the same level of self-registration and identity proofing, but would also incorporate strong multi-factor authentication credentials for access to secure, high risk, or sensitive systems. Comments on the USDA’s notice are due by September 20, 2016.