InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC Publishes Special Edition of Quarterly Consumer News: A Bank Customer's Guide to Cybersecurity
On March 8, the FDIC published a special edition of its Quarterly Consumer News entitled, “A Bank Customer’s Guide to Cybersecurity.” The guide provides consumers with, among other things, (i) safety tips for online banking; (ii) steps to take to ensure mobile devices remain secure; (iii) advice on how to avoid identity theft, including tips for keeping malware off computers; and (iv) an eight-question cybersecurity test based off the information provided in the guide. The guide also highlights federal regulations and law in place requiring financial institutions to establish programs that ensure (i) the security and confidentiality of customer information; and (ii) the minimization of consumers’ losses if they are the victim of unauthorized purchases. Finally, the guide warns small business owners “to be vigilant in protecting their computer systems and data” and provides them with tips similar to the basic precautions outlined for consumers.
Massachusetts Division of Banks Issues New Cybersecurity Exam Procedures
Recently, the Massachusetts Division of Banks released examination procedures that incorporate cybersecurity as a module in all of its examinations of banks and non-bank licensees. The procedures contain two separate workbooks. The first, NDIS IT/Information Security Examination Work-program, contains questions related to a Licensee’s (i) risk assessment and management oversight; (ii) written information security program; (iii) data security operations; (iv) business continuity and disaster recovery; (v) cybersecurity; and (vi) IT audit. Section VII of the workbook provides space for an examination summary, and Section VIII of the first workbook contains various links to examination resources, including, but not limited to, the FFIEC Interagency Guidelines Establishing Information Security Standards, and a copy of 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth. The second, Non-Depository Institution Supervision Information Technology Officer’s Questionnaire, “contains questions covering significant areas of the Licensee’s [IT] function.”
Last year, the Division sent a communique to CEOs of regulated institutions encouraging them to do a cybersecurity assessment using the FFIEC tool and noted that it would be looking at those assessments in future examinations.
Department of Commerce Reveals EU-U.S. Privacy Shield Framework
This week, the Department of Commerce released a package related to the EU-U.S. Privacy Shield Framework for transatlantic data flows. In February, the European Commission announced that the U.S. and the European Commission had agreed to a new Framework, but the Department of Commerce’s recently issued package is the first time the text of the agreement has been made available to the public. In addition to including the Framework itself, the package contains various copies of correspondence from U.S. officials discussing matters related to the Framework and how the appropriate U.S. government agencies will ensure the Framework, if adopted, will be enforced. Among other things, the new agreement (i) requires companies to respond to consumer complaints within 45 days of receiving the complaint; and (ii) describes a binding arbitration option for “certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield.” Significantly, as noted in a statement from the European Commission, a final decision regarding the implementation of the Framework has not yet been made: “Now, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the [members of the Commission]. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.”
On a related note, President Obama signed the Judicial Redress Act last week, which will lead to the highly anticipated signature of the EU-U.S. Data Protection Umbrella Agreement.
Massachusetts AG Announces New Consumer Advocacy and Response Division
On March 3, Massachusetts AG Healey announced a new Consumer Advocacy and Response Division (CARD) intended to protect Massachusetts consumers from alleged fraud, unfair business practices, and consumer abuse. The CARD staff will assist consumers with issues such as (i) auto purchasing and financing; (ii) data security and identity theft; (iii) debt collection; and (iv) foreclosure prevention. In 2015, AG Healey’s office handled more than 2,600 consumer complaint cases, resolving issues related to debt collection, auto lending, and securing refunds for disputed charges with cellular phone carriers.
President Obama Signs into Law the Judicial Redress Act
On February 24, President Obama signed the Judicial Redress Act, legislation that, according to the President, ensures “data is protected in the strongest possible way with our privacy laws.” The legislation is considered critical to EU-U.S. data flows in that it paves the way for the extension of Privacy Act rights to EU citizens, which will give them rights to seek Privacy Act remedies via civil action in U.S. courts. Regarding the Act, Věra Jourová, the EU Commissioner for Justice, Consumers, and Gender Equality, commented, “[t]he entry into force of this Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement. This agreement will guarantee a high level of protection of all personal data, regardless of nationality, when transferred across the Atlantic for law enforcement purposes.”
The signing of the Judicial Redress Act comes after the European Commission’s approval of the EU-U.S. Privacy Shield, a new framework for transatlantic data flows.
California AG Harris Issues Data Breach Report
On February 16, California AG Kamala Harris released a report analyzing data breaches reported to her office from 2012 through 2015. During that time period, the report identifies 657 data breaches that compromised more than 49 million Californians’ personal information. The report summarizes the scope of California’s existing breach notice law and notes that notification laws in 46 other states were modeled after California’s original law. According to the report, federal data breach proposals currently under consideration in Congress would, among other things, (i) set the consumer protection bar very low; (ii) infringe on state-based innovation; (iii) encroach on enforcement by state attorneys general; (iv) narrowly define harm and personal information; and (v) set “overly rigid timelines for notification.” The report provides recommendations for organizations and state policymakers on how to improve data security. Specifically, the report recommends that organizations: (i) adopt the Center for Internet Security’s Critical Security Controls relevant to the organization’s specific environment; (ii) use multi-factor authentication to protect critical systems and data, and make the multi-factor authentication available on consumer-facing online accounts containing sensitive personal information; (iii) consistently use strong encryption to protect personal information on laptops and other portable devices; and (iv) encourage persons affected by a breach of Social Security or driver’s license numbers to place a fraud alert on their credit files. Finally, the report recommends that state policymakers “collaborate in seeking to harmonize state breach laws on some key dimensions.”
Department of Homeland Security Publishes CISA Procedures and Guidance
On February 16, the DHS published guidance for both private and federal entities on the sharing of cyber threat indicators with the federal government. As required by the Cybersecurity Information Sharing Act of 2015 (CISA), the DHS and the DOJ jointly released the following four documents: (i) Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government; (ii) Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with the Federal Entities; (iii) Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government; and (iv) Privacy and Civil Liberties Interim Guidelines. The first two documents focus on assisting private sector and federal entities identify indicators and defensive measures for cybersecurity threats. The third document establishes procedures relating to the receipt of certain cyber threat indicators and defensive measures by all federal entities under CISA. The fourth document establishes interim privacy and civil liberties guidelines for federal entities on the receipt, retention, use, and dissemination of cyber threat indicators.
Obama Administration Announces Executive Orders: Commission on Enhancing National Cybersecurity; Establishment of the Federal Privacy Council
On February 9, President Obama issued two Executive Orders (EO) titled, Commission on Enhancing National Cybersecurity and Establishment of the Federal Privacy Council. The first EO creates a Commission on Enhancing National Cybersecurity (Commission), which will be comprised of top industry thinkers outside of the government. The President will appoint the Commission’s members, with the Speaker of the House of Representatives, the Minority Leader of the House of Representatives, the Majority Leader of the Senate, and the Minority Leader of the Senate each being invited to recommend one individual for membership. As outlined in the White House’s Fact Sheet on the EO, the Commission will, among other things, (i) assist in diagnosing and addressing the causes of cyber-vulnerabilities; (ii) “make detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of Government”; and (iii) report specific findings and recommendations to the President before the end of 2016.
With the creation of the Federal Privacy Council, senior privacy officials from various Government agencies will come together to (i) develop recommendations on government privacy policies and requirements; (ii) collaborate on ideas, best practices, and approaches for protecting privacy and implementing appropriate safeguards; (iii) evaluate how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters, making the appropriate recommendations; and (iv) perform other privacy-related functions, consistent with law, that the Chair designates. Ultimately, this “interagency support structure” will be the principal “forum to improve the Government privacy practices of agencies and entities acting on their behalf.”
FDIC Issues Winter 2015 Supervisory Insights
On February 1, the FDIC published its Winter 2015 issue of Supervisory Insights to promote sound principles and practices for bank supervision. The most recent issue of Supervisory Insights focuses on the following four areas: (i) cybersecurity, highlighting the importance of maintaining a cybersecurity awareness training program and ensuring that a bank’s “executive management and Board of Directors (board) play a key role in overseeing programs to protect data and technology assets and establishing a corporate culture consistent with the bank’s risk tolerance”; (ii) marketplace lending, emphasizing associated risks, such as third-party arrangements, and the significance of examining the overall marketplace lending model to ensure that it is aligned with the bank’s business strategy; (iii) an assessment of the lending landscape for banks, describing current lending conditions and the risks reported in the FDIC’s Credit and Consumer Products/Services Survey; and (iv) an overview of recently released regulations and supervisory guidance, including the revised interagency examination procedures for the new TRID rule.
The FDIC’s marketplace lending guidance comes after the California Department of Business Oversight’s December inquiry into the industry, requesting that 14 firms provide information on their business models and online platforms.
European Commission Announces Agreement with the US on the Framework for Transatlantic Data Flows
On February 2, the members of the European Commission approved a new framework for transatlantic data flows: EU-US Privacy Shield. The European Commission and the United States agreed to a deal that reflects the requirements set forth in the Court of Justice of the European Union’s (CJEU) October 6, 2015 decision declaring the old Safe Harbor framework invalid. The agreement aims to protect “fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Specifically, the drafters of the new framework attempt to provide (i) robust obligations on U.S. companies to ensure that they are protecting Europeans’ personal data, such as strengthened monitoring by the Department of Commerce and the FTC and increased cooperation with European Data Protection Authorities; (ii) written commitments by the U.S. that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”; and (iii) effective protection of Europeans’ rights regarding how their data is handled, including several redress possibilities and the creation of an Ombudsperson to whom they can raise inquiries or complaints. Commenting on the agreement, Commission Vice-President Ansip stated, “[t]oday’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US.” In the upcoming weeks, the U.S. will prepare to put in place the new framework while Vice-President Ansip and Commissioner Jourová prepare a draft “‘adequacy decision,’” which could be “adopted by the [Commission] after obtaining the advice of the Article 29 Working Party (WP29) and after consulting a committee composed of representatives of the Member States."
In a February 3 statement, the WP29 maintained that it has concerns regarding the current U.S. legal framework to protect non-U.S. persons’ data. While it recognizes recent efforts by the U.S. to improve protection of personal data to meet the four essential guarantees for intelligence activities, the WP29 emphasized it will need to “consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-US Privacy Shield . . . [and] analyse to what extent [the] new arrangement will provide legal certainty for the other transfer tools.”