InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC Names Christopher Hetner Senior Advisor to the Chair for Cybersecurity Policy
On June 2, the SEC named Christopher Hetner Senior Advisor to the Chair for Cybersecurity Policy. In this capacity, Hetner will serve as a senior advisor to Chair Mary Jo White on all policy matters relating to cybersecurity. Having joined the SEC in January 2015, Hetner currently serves as Cybersecurity Lead for the Technology Control Program within the SEC’s Office of Compliance Inspections and Examinations (OCIE), coordinating cybersecurity efforts across OCIE and lending advice on enforcement matters. As Senior Advisor, Hetner “will be responsible for coordinating efforts across the agency to address cybersecurity policy, engaging with external stakeholders, and further enhancing the SEC’s mechanisms for assessing broad-based market risk.”
CSBS Publishes Annual Report
Recently, the Conference of State Bank Supervisors (CSBS) published its 2015 Annual Report to provide an overview of its activities and initiatives in 2015. The report highlights that, throughout 2015, state regulators (i) increased coordination and collaboration between state regulators and other stakeholders, including federal regulators and Congress; (ii) developed research and analytical tools, such as risk profiling tools to assist with the examination selection process, as well as tools to address emerging non-depository regulatory issues; (iii) developed “right-sized” policy solutions for an ever-changing financial services industry, acknowledging that “community banks play a vital and necessary role in [the] diverse financial services ecosystem”; and (iv) provided education and training for examiners and supervisors, noting that “more than 1,000 examiners from 43 agencies representing 41 states had been certified through the CSBS Certification Program.” Importantly, the report notes that cybersecurity remains a “major issue facing the financial services industry.” In an effort to encourage executive leadership and raise awareness, CSBS launched the Executive Leadership of Cybersecurity (ELOC) initiative, which emphasizes that cybersecurity is “more than a ‘back office’ issue, but an executive issue that requires CEO and Board level attention.”
Senate Judiciary Committee Holds Hearing to Discuss FCC's Proposed Privacy Rules
On May 11, the Subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee held a hearing titled “Examining the Proposed FCC Privacy Rules.” Present at the hearing were witnesses FCC Chairman Thomas Wheeler, FCC Commissioner Ajit Pai, FTC Chairwoman Edith Ramirez, and FTC Commissioner Maureen Ohlhausen. The focal point of the hearing was the FCC’s proposed rule (which comes after its Open Internet Order released in February 2015, designed to preserve net neutrality) on broadband internet services, which is, according to proponents of the proposal, intended to ensure that consumers’ personal information is adequately protected when Internet Service Providers (ISP) collect information on consumers using their products. According to FCC Chairman Wheeler’s opening remarks, the FCC’s proposed rule governing the privacy and security of consumer data is built on “transparency, choice, and security.” Commission members Pai and O’Reilly oppose the proposal, with Commissioner Pai commenting at the hearing that the proposal imposes “stringent regulation” on ISPs, in spite of Commissioner Wheeler’s November 2015 statement before the House Energy and Commerce Committee’s Subcommittee on Communications and Technology that the FCC “would ‘not be regulating the edge providers differently’ from ISPs.” In contrast to the FCC’s proposal, the FTC maintains a unified approach toward regulating ISPs and other online actors. Speaking to the FTC’s efforts to protect consumer information, Chairwoman Ramirez’s and Commissioner Ohlhausen’s joint testimony summarized the FTC’s enforcement, policy, and education work related to consumer privacy and highlighted recent FTC and FCC joint enforcement actions. According to Senator Leahy’s (D-VT) opening remarks, the FCC’s recent proposal raises the question as to whether FCC regulation of specialized broadband privacy issues is “unnecessary in light of the FTC’s general enforcement power.” Advocates of the FCC’s proposal, such as Senator Leahy, maintain that the FTC’s case-specific enforcement power cannot be a substitute for the FCC’s “expert rulemaking process”; while those in opposition, such as FCC Commissioner Pai, argue that the proposal “makes little, if any, sense.” Comments on the FCC’s proposal are due by May 27, 2016, with the reply comment period ending June 27, 2016.
AG Schneiderman Reports Increase in Data Breach Notifications; Unveils Electronic Submission Form
On May 4, New York AG Schneiderman announced that, from January 1, 2016 through May 2, 2016, his office received 459 data breach notices – more than a 40% increase compared to the 327 notices received during the same time last year. Due to the increased volume of data breach notices and in an effort to provide greater efficiency in the reporting process, AG Schneiderman announced an electronic breach reporting form. The new form allows companies to submit data breach notices via web submission: “[c]ompanies may now notify the Attorney General’s Office of a data breach via a web submission form in order to expedite and streamline the process. Previously, and consistent with most other state attorneys general offices, companies were required to mail, fax, or email a separate data breach form.” AG Schneiderman’s office expects to receive “well over” 1,000 data breach notices in 2016.
Democratic Senators Commission GAO to Study Fintech Industry
On April 18, Senators Sherrod Brown (D-OH), Jeffrey Merkley (D-OR), and Jeanne Shaheen (D-NH) sent a letter to the Government Accountability Office (GAO) requesting that it complete a study on the fintech industry. Under the Dodd-Frank Act, the GAO is required to examine the regulatory structure of person-to-person (P2P) lending. While the letter recognizes that the GAO issued a report on P2P lending in 2011, the senators urged the GAO to recognize that the lending platforms of financial technology firms (often called fintech) “has changed dramatically and evolved beyond consumer lending,” and that “P2P lending, now generally called marketplace lending, is not the only form of fintech that has developed over the last several years.” The letter further cautions that, “gaps in understanding and regulation of emerging financial products may result in predatory lending, consumer abuse, or systemic issues.” Finally, Senators Brown, Merkley, and Shaheen urged the GAO to provide responses to questions relating to, among other things, (i) the size and structure of the loan portfolios maintained by privately owned fintech lenders; (ii) how fintech lenders’ relationships with financial institutions impact both the financial system at large and regulatory framework; (ii) whether the risks that may arise from the investor base shifting from individual investor to institutional investor have grown since this issue was first noted in the GAO’s 2011 report; and (iii) the anti-money laundering, data security, and privacy requirements fintech companies are subject to.
Article 29 Working Party Assesses Transatlantic Privacy Shield
On April 13, the Article 29 Working Party (WP29) of the European Union released its assessment of the draft framework for transatlantic data flows: EU-US Privacy Shield, which was announced on February 2. According to the assessment, the WP29 evaluated the Privacy Shield from a commercial as well as a national security perspective. Regarding commercial aspects of the Privacy Shield, the WP29 maintained that “key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.” The WP29 further opined that it “cannot find in the documents constituting the Privacy Shield any reference to the necessity for data controllers to ensure that the data are deleted once the purpose for which they were collected or further processed has become obsolete. Hence, as it seems, the Principles do not impose to the certified organisations [sic] a limit for the period of retention of the data comparable to what is imposed by the data retention limitation principle under EU law.” Regarding onward transfers and national security, the WP29 commented that, because the Privacy Shield will be used to transfer data outside the U.S., it must ensure the same level of protection on all aspects, including national security, and “should not lead to lower or circumvent EU data protection principles.” According to the WP29, as the Privacy Shield is currently drafted, “onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.” Finally, the WP29 raised doubts about the effectiveness of the Ombudsperson at the U.S. State Department, questioning whether the designated person would be equal in independence to national security oversight bodies in other countries.
Boston Fed President Comments on the Ever-Changing Nature of Cyber Risk
On April 4, the Federal Reserve Bank of Boston’s President Eric S. Rosengren delivered remarks at the 2016 Cybersecurity Conference. Rosengren commented on the status of the U.S. economy and the “ever-changing” nature of cyber risk. According to Rosengren, risks in the cyber realm, unlike those related to the economy, are not waning. Significant cyber risk points outlined in Rosengren’s remarks include: (i) banks are increasingly having to compete with “fintech” entities providing similar financial services without the regulatory burden of being a bank; (ii) rapid growth in new applications and devices may provide consumer convenience, but do not always focus on security issues at large; and (iii) implementation of a communication plan addressing customer, vendor, and regulator concern in light of a breach is critical to mitigating problems. Finally, Rosengren cautioned that, “[b]anking organizations need to continue to evolve as [cyber risks] morph, and as new innovations and expectations of convenience introduce new challenges to security.”
California AG Harris Announces Settlement with San Francisco-Based Bank Over Consumer Privacy Violations
On March 28, California AG Harris announced an $8.5 million settlement with a San Francisco-based bank for alleged violations of California consumer privacy laws. Specifically, AG Harris’s and five district attorneys’ investigation into the bank found that its employees failed to “timely and adequately disclose the recording of communications they had with members of the public” in violation of sections 632 and 632.7 of the California Penal Code. Without admitting liability, the bank agreed to (i) implement changes to its policies; (ii) comply fully with California’s laws concerning the recording of communications between the bank and California consumers, making a clear, conspicuous, and accurate disclosure (the Recorded Call Disclosure) at the beginning of any communication that is subject to recording; and (iii) implement an internal compliance program to “promote full compliance with the requirements of Penal Code sections 632.7 and 632, and the Recorded call disclosure.” Of the $8.5 million civil money penalty, $384,000 will be used to reimburse the prosecutors’ investigative costs, and $500,000 will be contributed to two California organization dedicated to advancing consumer protection and privacy rights.
New York DFS Takes Action Against Online Payday Loan Lead Generator
Recently, the New York DFS announced that an online payday loan lead generator and its CEO will pay a $1 million penalty and cease payday loan lead generation activities in New York to resolve allegations that its payday loans charge fees had interest rates greater than the usury limits allowed under New York law, and that it failed to protect consumers' personal information. According to the DFS, the company (i) "advertised payday loans and connected New York consumers to payday lenders without disclosing that the payday loans contained terms that violate New York usury laws"; and (ii) failed to take any protective measures when selling leads to its network of lead buyers, despite advertising that it "prides itself in putting [its] customer's security and personal information protection at the top of [its] priority list." In the event that the company solicits non-payday lending services in New York in the future, the order requires it to establish and adhere to data security protocols for the secure use, transfer, and storage of consumers' personal information. This action represents the DFS's first action to require a company to implement consumer data security measures to its future collection of consumers' personal information.
FTC Issues Inquiry into Credit Card Companies' Compliance with Payment Card Industry Data Security Standards
On March 7, the FTC announced that it issued orders to nine companies requiring them to file a Special Report regarding their assessments of other companies’ compliance with the Payment Card Industry Data Security Standards (PCI DSS). Specifically, the FTC’s Order stated that it is “seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy.” Among other things, a company in receipt of the Order must state whether or not it performs PCI DSS Compliance Assessments, whether or not it provides any Data Security Forensic Audit Services, and whether or not it has been the “subject of any government or regulatory inquiry, private action, arbitration or mediation related to the provision of Data Security Services.” If a company performs PCI DSS Compliance Assessments, the Order requires that it submit certain information on the assessment process, including but not limited to, (i) whether or not Qualified Security Assessors are hired to perform the assessment; (ii) the number and percentage of clients for which it completed a Compliance Assessment, including the number it did not provide a “compliant” or “in place” designation on the Attestation of Compliance or the Report on Compliance, respectively; (iii) the policies and procedures related to the Compliance Assessment; and (iv) copies of a limited set of PCI DSS compliance assessments performed. Companies must file the Special Report within 45 days after the date of service of the Order, dated March 4, 2016.