InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. Attorney General Discusses DOJ's Global Cybercrime Initiatives at Europol
On September 16, U.S. Attorney General Loretta Lynch addressed the European Cybercrime Center at Europol, where she highlighted recent and planned DOJ initiatives related to global cybercrime and cyber threat efforts and stressed the DOJ’s commitment to information-sharing with international law enforcement authorities. Lynch noted that the U.S. and the European Union recently signed an “Umbrella” Data Privacy and Protection Agreement aimed at strengthening the countries’ ability to take on crime and terrorism while protecting personal privacy. In addition, Lynch revealed that the DOJ intends to temporarily assign a U.S. attorney from the DOJ’s Criminal Division to work alongside European authorities to enhance collaboration and information-sharing.
Traders Who Allegedly Profited from Hacked News Releases Settle With SEC for $30 Million
On September 14, the SEC announced that it had reached a $30 million settlement with two defendants who allegedly profited from trading based on information hacked from newswire services. The settlement stems from an SEC complaint filed in August against 34 defendants for their alleged involvement in an international scheme that generated over $100 million in illegal profits over a five-year period. According to the SEC charges, defendants hacked into newswire services and transmitted stolen data to a network of international traders. The SEC claims that the parties to the settlement made $25 million in illicit profits by buying and selling contracts-for-differences (CFDs) based on hacked press release information they received from other defendants. In the proposed settlement offer, which requires court approval, the two defendants neither admit nor deny the SEC’s allegations, but agree to be enjoined from violating U.S. and SEC securities antifraud provisions, and to return $30 million in alleged illegal profits. The Chief of the SEC Enforcement Division’s Complex Financial Instruments Unit stated that the discovery and prosecution of the scheme “should serve as a shot across the bow of any trader who thinks that CFDs traded outside the United States can be used to mask their unlawful conduct,” and demonstrates the SEC’s “ability to police this opaque market.” The SEC’s case against the remaining 32 defendants remains pending.
Treasury Deputy Secretary Raskin Delivers Remarks On Cybersecurity and Insurance
On September 10, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the Center for Strategic and International Studies Strategic Technologies Program in Washington, D.C. After summarizing threats posed to U.S. companies and strategic interests, citing to notable recent cyberattacks, Raskin laid out the roles governments, the insurance industry, and state insurance regulators can take in responding to cyberattacks.
Raskin noted that governments can facilitate information-sharing related to cyber threats and deter incidents through law enforcement and diplomatic engagement as well as by imposing financial sanctions on wrongdoers overseas. The insurance sector can gauge the risks and costs posed by cyber incidents and provide an important risk mitigation tool by allowing policyholders to transfer some financial exposure associated with cyber events. The insurance qualification and underwriting process also encourages businesses to engage in increased cybersecurity and risk-mitigation activities. Finally, state insurance regulators can assist response by setting standards for cybersecurity and the protection of the sensitive information of policyholders at the entities that they regulate.
Pennsylvania Regulator Addresses Cybersecurity
On September 8, Pennsylvania Department of Banking and Securities’ Secretary Robin Wiessmann issued a letter to Pennsylvania state-chartered, licensed, and registered financial services institutions and companies regarding the Department’s cybersecurity efforts to “prevent and defend against cyberattacks, reduce vulnerability, minimize damage and recover times, and promote awareness and education.” The letter encourages such entities to (i) develop cybersecurity attack prevention and mitigation plans; (ii) identify their cybersecurity vulnerabilities; (iii) evaluate the means necessary to protect their networks and data; (iv) conduct regular vulnerability assessments and penetration tests of their networks; (v) encrypt customer and investor data; (vi) ensure their operating systems are up-to-date; (vii) frequently update and utilize anti-virus software; and (viii) train and evaluate their staff and vendors, as well as educate their customers, regarding cybersecurity risks. In addition to reminding the Department’s regulated financial institutions and companies of the FFIEC’s June 30 release of a self-assessment tool designed to help evaluate cybersecurity risk, the letter also urges such entities to review the SEC's April 2015 cybersecurity guidance, which identifies cybersecurity “best practices” for registered investment companies and registered investment advisers.
In a separate September 8 press release, the Department announced the formation of a Cybersecurity Task Force. Comprised of regulatory, legal, and information technology staff, the task force is one of the first created by a state financial regulator to provide financial service companies with resources to address cybersecurity issues.
FTC Chairwoman Ramirez Urges Start-Ups to Establish a "Culture of Security"
On September 9, FTC Chairwoman Edith Ramirez delivered remarks at the Start For Security workshop, an FTC initiative intended to provide start-ups and developers with the resources and information necessary to integrate effective data security strategies into their products. In her remarks, Ramirez advised companies to establish a “culture of security” by: (i) embedding privacy and security into the development process of apps and other products; (ii) testing the product to ensure that security defaults work properly and controls are secure; and (iii) establishing a “bug bounty” program or a contact point for when flaws, bugs, and vulnerabilities in software are discovered.
FTC to Host Privacy and Security Event
On August 28, the FTC announced that it will hold a public event, PrivacyCon, to examine current research and trends in protecting consumer privacy and security. Several “whitehat” researchers, academics, industry representatives, consumer advocates, and a range of government regulators are scheduled to address, among other things, how companies can protect against new security vulnerabilities. PrivacyCon will take place in Washington, D.C. on January 14, 2016.
California Governor Signs Executive Order Aimed At Strengthening Cybersecurity Strategy
On August 31, California Governor Edmund G. Brown signed Executive Order B-34-15. A response to recent cyber-attacks, this order is intended to bolster the state’s preparedness, to improve inter-agency, cross-sector coordination, and to reduce the likelihood and severity of such attacks. Specifically, the order establishes the California Cybersecurity Integration Center (Cal-CSIC) and explains that the Cal-CSIC “will work closely with the California State Threat Assessment System and the U.S. Department of Homeland Security and will facilitate more integrated information sharing and communication with local, state and federal agencies, tribal governments, utilities and other service providers, academic institutions and non-governmental organizations.”
Under the order, the Cal-CSIC will also establish a multi-agency Cyber Incident Response Team, which will be comprised of personnel from agencies, departments, and organizations from the Cal-CSIC. The Response Team will serve as California’s “primary unit to lead cyber threat detection, reporting, and response in coordination with public and private entities across the state.”
Special Alert: Third Circuit Gives FTC Green Light to Continue Enforcing Corporate Data Security
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” The unanimous ruling found that “deficient cybersecurity,” practices, which “fail to protect consumer data against hackers,” may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers.
In affirming that the FTC has authority under Section 5 to pursue claims of inadequate data security, the Third Circuit explained that a company’s inadequate data security in the face of foreseeable intrusions falls within the plain meaning of “unfair.” The Third Circuit assured Wyndham that this authority does not enable the agency to dictate the type of locks on hotel room doors or the placement of guards on corporate premises. Nor does it have the authority to sue for every perceived deficiency, just as it would not have the authority to sue supermarkets simply for failing to consistently “sweep up banana peels.” However, the court pointed out that it matters how – and how many – consumers are affected by a company’s practice: “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).”
Wyndham had also argued that it lacked fair notice that the FTC had the authority to assess data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees “raising unfairness claims based on inadequate corporate cybersecurity” that put companies on notice of its enforcement authority in this space.
The Third Circuit provided some guidance of its own on how can companies avoid FTC enforcement actions alleging unfairness in data security practices, stating that “the relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” The more sensitive consumer data a company collects, the more it must invest in sound data security safeguards.
As a result, companies need to review their data security practices against both the standard enacted by Congress specifically to govern data security in the Gramm-Leach-Bliley Act and the much more general “unfairness” standard found in the FTC Act as well as other federal and state laws.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Walter E. Zalenski, (202) 461-2910
SCRA Compliance, Cybersecurity, and Responsible Innovation Remain Top Priorities at OCC
On August 31, Grovetta Gardineer, the OCC’s Deputy Comptroller for Compliance Operations and Policy, delivered remarks at the Association of Military Bankers of America annual workshop in Leesburg, VA. Throughout her presentation, Gardineer highlighted issues affecting financial institutions focused primarily on lending to servicemembers. Gardineer discussed the OCC’s ongoing efforts to identify and correct deficiencies within bank and thrift compliance practices and noted improved Servicemembers Civil Relief Act (“SCRA”) compliance by regulated institutions. Specifically, Gardineer observed that in 2014, the OCC cited sixty-five SCRA violations among large, midsized, and community institutions. For the first quarter of 2015, however, Gardineer reported that OCC examiners cited only seven SCRA violations. Gardineer also referenced recent amendments to the Military Lending Act (“MLA”) which expanded consumer protections to both open-end and closed-end consumer credit for servicemembers; she emphasized that banks should be proactive in updating their internal policies and procedures to reflect the MLA’s changes. Reiterating the OCC’s commitment to cybersecurity, Gardineer advised that OCC examiners intend to use the cybersecurity assessment tool “to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.” Finally, Gardineer discussed innovation within the industry, such as the emergence of various mobile payments transfer systems and peer-to-peer lending. She stressed that the OCC intends to facilitate a responsible regulatory environment that will encourage innovative financial products and services while also implementing regulations to ensure adequate consumer protections.
Third Circuit Affirms District Court's Decision Asserting FTC's Authority over Companies' Data Security Practices
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015). The unanimous ruling found that deficient cybersecurity practices that fail to protect consumer data against hackers may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers. Wyndham argued that it lacked fair notice that the FTC had the authority to police data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees raising unfairness claims based on inadequate cybersecurity that put companies on notice of its enforcement authority in this space.