InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
European Commission Announces Agreement with the US on the Framework for Transatlantic Data Flows
On February 2, the members of the European Commission approved a new framework for transatlantic data flows: EU-US Privacy Shield. The European Commission and the United States agreed to a deal that reflects the requirements set forth in the Court of Justice of the European Union’s (CJEU) October 6, 2015 decision declaring the old Safe Harbor framework invalid. The agreement aims to protect “fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Specifically, the drafters of the new framework attempt to provide (i) robust obligations on U.S. companies to ensure that they are protecting Europeans’ personal data, such as strengthened monitoring by the Department of Commerce and the FTC and increased cooperation with European Data Protection Authorities; (ii) written commitments by the U.S. that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”; and (iii) effective protection of Europeans’ rights regarding how their data is handled, including several redress possibilities and the creation of an Ombudsperson to whom they can raise inquiries or complaints. Commenting on the agreement, Commission Vice-President Ansip stated, “[t]oday’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US.” In the upcoming weeks, the U.S. will prepare to put in place the new framework while Vice-President Ansip and Commissioner Jourová prepare a draft “‘adequacy decision,’” which could be “adopted by the [Commission] after obtaining the advice of the Article 29 Working Party (WP29) and after consulting a committee composed of representatives of the Member States."
In a February 3 statement, the WP29 maintained that it has concerns regarding the current U.S. legal framework to protect non-U.S. persons’ data. While it recognizes recent efforts by the U.S. to improve protection of personal data to meet the four essential guarantees for intelligence activities, the WP29 emphasized it will need to “consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-US Privacy Shield . . . [and] analyse to what extent [the] new arrangement will provide legal certainty for the other transfer tools.”
European Commission Celebrates Data Protection Day; Deadline for US-EU Data Protection Framework Approaches
On January 28, the European Commission issued a statement in observance of its 10th European Data Protection Day. Vice President Ansip and Commissioner Jourová commented on the December 2015 agreement on EU data protection reform, noting that “[w]ith one streamlined set of rules across the European Union, we will cut red tape and ensure legal certainty, so that both citizens and companies can benefit from the Digital Single Market.” The United States and the European Union are scheduled to reach an agreement on the “Safe Harbor” data transfer program in the upcoming week, to which Ansip and Jourová commented: “These flows are essential, between EU countries, but also between the EU and its closest partners. The European Commission is currently working on a renewed and safe framework on transfers of personal data with the United States. We need an arrangement that protects fundamental rights of Europeans and ensures legal certainty for businesses.”
New York AG Requires Transportation Company to Enhance Data Security Practices
On January 6, New York AG Schneiderman announced a settlement with a California-based transportation network company that requires the company to enhance its data security protection practices to ensure protection of consumers’ personal information. In November 2014, the AG’s office launched an investigation into the company’s collection, maintenance, and disclosure of users’ personal information “amid reports that [company] executives had access to riders’ locations and that the company displayed this information in an aerial view, known internally as ‘God View.’” Moreover, in February 2015, the company reported to the AG’s office that, as early as September 2014, it had experienced a data breach where company drivers’ names and license numbers were exposed to an unauthorized third party. In addition to the $20,000 penalty for failure to provide timely notice regarding the data breach, the settlement requires the company to (i) limit access to geo-location information to designated employees through technical access controls and a formal authorization and approval process; (ii) designate at least one employee to coordinate and supervise its privacy and security program; (iii) conduct annual training for employees implementing its data security practices and the handling of private information; (iv) adopt protective technologies for the storage, access, and transfer of private information, and the credentials required to access such information; (v) conduct regular assessments of the effectiveness of internal controls and procedures related to securing private information and geo-location information, as well as implement updates to such controls based on the assessments; and (vi) include a separate section in its consumer-facing privacy policy describing policies regarding location information collected from riders.
SEC Outlines 2016 Examination Priorities
On January 11, the SEC’s Office of Compliance Inspections and Examinations issued its Examination Priorities for 2016. The examination priorities, which address issues across a variety of financial institutions, include (i) protecting retail investors, including those planning for retirement, by undertaking examinations to review exchange-traded funds (ETFs) and ETF practices, variable annuity recommendations and disclosure, and potential conflicts and risks involving advisers to public pension funds; (ii) evaluating market-wide risks by, among other thing, continuing to focus on cybersecurity controls at broker-dealers and investment advisers; and (iii) using enhanced data analytics to assess anti-money laundering compliance, detect microcap fraud, and complete reviews of excessive trading. Additional areas of examination priority for 2016 include (i) municipal advisors; (ii) private placements; (iii) investment advisers and investment companies that have not yet been examined; (iv) private fund advisers; and (v) transfer agents.
OFAC Publishes Cyber-Related Sanctions Regulations
On December 31, OFAC issued regulations to implement Executive Order 13694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Effective immediately, the regulations prohibit all transactions prohibited by Executive Order 13694, including dealing in the property or interests in property, that come within the United States, of blocked persons. Among other things, under Executive Order 13694, a party may be blocked if the U.S. government finds the party “to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” and that have one of the purposes or effects enumerated in the Order. More information on the Executive Order is available here. OFAC’s Specially Designated Nationals (SDN) List will include persons blocked pursuant to the Executive Order and regulation. OFAC intends to supplement the new regulations with a more comprehensive set of regulations, “which may include additional interpretive and definitional guidance, regarding ‘cyber-enabled’ activities, and additional general licenses and statements of licensing policy.”
FTC Reveals Agenda for PrivacyCon
On December 29, the FTC revealed the full agenda for PrivacyCon, a Washington, D.C. conference scheduled to take place on January 14, 2016. Participants will examine current research and trends related to consumer privacy and data security. The event will host panels on the following topics: (i) the current state of online privacy; (ii) consumers’ privacy expectations; (iii) big data and algorithms; (iv) economics of privacy and security; and (v) security and usability.
OCC Releases Semiannual Risk Perspective Report
On December 16, the OCC released its Semiannual Risk Perspective report to provide an overview of supervisory concerns for the federal banking system, including operational and compliance risks. According to the report, which covers data through June 30, 2015, risks relating to strategic, compliance, and interest rates remain unchanged, but risks connected to underwriting and cybersecurity continue to grow. Notable findings in the report reveal that (i) the low interest rate environment has led banks to reevaluate risk tolerance and extend their reach for yield; and (ii) banks are responding to competitive pressures and growth objectives by adopting a more relaxed approach toward credit underwriting standards and practices, particularly in high-growth loan segments, such as indirect auto, commercial and industrial, and multifamily.
The report emphasizes cyber threats and Bank Secrecy Act (BSA) and anti-money laundering (ALM) risks as growing concerns, commenting that “[c]yber attacks against cybersecurity products and services further increase risk to banks because of the release or sale of malware and zero-day vulnerabilities,” and “BSA/AML risks remain high, as technological developments that benefit customers through enhanced products and greater access to financial services may be vulnerable to criminals who exploit such innovations.”
Omnibus Spending Package Affects Cybersecurity Legislation
On December 15, Speaker Paul Ryan (R-WI) unveiled the omnibus spending bill, which includes the Cybersecurity Act of 2015 – legislation that would affect how businesses share information with each other and the government, and establish an information system for the government to share “cyber threat indicators and defensive measures in real time consistent with the protection of classified information” with federal and non-federal entities. The cybersecurity text included in the omnibus bill is a combination of three cybersecurity bills that were under legislative consideration this year, as follows: S. 754 - Cybersecurity Information Sharing Act of 2015; H.R. 1731 - National Cybersecurity Protection Advancement Act of 2015; and H.R. 1560 - Protecting Cyber Networks Act. Designating the Department of Homeland Security as the government’s proxy, the revised legislation provides entities with liability protections to voluntarily share with the government cybersecurity threat information. Specifically, regarding the sharing or receipt of cyber threat indicators, the legislation reads, “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 104(c).” Although the legislation includes text mandating that entities “implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individuals,” critics from privacy and civil liberties organizations argue that the language is vague, offering citizens little protection while enhancing intelligence agencies’ capability to invade personal privacy.
The House is scheduled to vote on the legislation Friday, December 18, with the Senate – should the legislation pass the House – acting shortly thereafter.
FTC Announces Record Settlement with Identity Theft Protection Company over Alleged Failures to Adhere to a 2010 Court Order
On December 17, the FTC announced a $100 million settlement with an Arizona-based identity theft protection company for violating the terms of a prior federal court order. In 2010, the District Court of Arizona prohibited the company from engaging in deceptive advertising and required it to secure consumers’ personal information. According to the FTC’s contempt charges, the company violated the terms of the prior order primarily by (i) failing to establish and maintain an adequate information security program to protect consumers’ personal information, such as social security numbers, and credit card and bank account numbers; (ii) falsely advertising that it protected consumers’ sensitive data by using the same sophisticated protections that financial institutions use; (iii) falsely advertising that it would send consumers alerts “as soon as” it received any indication that the consumer was a victim of identity theft; and (iv) failing to sufficiently create and retain records regarding the sale or provision of products or services related to identity theft.
The settlement is the largest monetary award obtained by the FTC in an enforcement action. Of the $100 million, $68 million may be used to “redress fees paid to [the company] by class action consumers who were allegedly injured by the same behavior alleged by the FTC.” In addition to the monetary provisions, the company must adhere to the recordkeeping procedures outlined in the 2010 order for an additional 13 years.
European Commission Announces Agreement on New Cybersecurity Rules
On December 8, the European Commission announced that European Union lawmakers reached an agreement regarding cybersecurity and breach reporting legislation. The rules are intended to improve cybersecurity capabilities in Member States as well as their cooperation on cybersecurity, and will “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to national authorities.” The text of the agreement is subject to formal approval by the European Parliament and the EU Council of Ministers; once officially published in the EU Official Journal, Member States will have 21 months to adopt the directive into their national laws and an additional 6 months to identify which internet providers it will affect.