InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Settles With Debt Brokers For Leaking Sensitive Consumer Information
On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.
Target and MasterCard Reach $19 Million Agreement Over Data Breach
On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.
NYDFS Cyber Security Report Shows Vulnerabilities in Banks' Third-Party Vendors
On April 9, the NYDFS released a report finding potential cyber security vulnerabilities with banks’ third-party vendors, based on a survey of 40 banking organizations regarding the cyber security standards in place for their vendors. Notable findings from the report include (i) nearly one in three banks surveyed currently do not require third-party vendors to notify them in the event of an information security breach or other cyber security breach; (ii) less than half of the banks conduct any on-site security assessments of their third-party vendors; (iii) about one in five of the banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements; (iv) only one-third of the banks require information security requirements to be extended to subcontractors of the third-party vendors; and (v) nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products. According to the press release, NYDFS plans to strengthen cyber security standards for banks’ third-party vendors through regulations, including addressing the representations and warranties banks receive about cyber security protections in place.
White House Issues Executive Order To Combat Against Cyber Attacks
On April 1, President Obama issued an executive order granting the Department of Treasury new authority to impose sanctions against individuals or entities that engage in activities which benefit from cyber attacks against U.S. including financial institutions. The executive order is a response to an increase of malicious cyber-enabled activities that continue to pose a threat to the United States’ national security, foreign policy, and economy. As noted in a statement released by Treasury Secretary Jack Lew, the executive order “allows [Treasury] to expose and financially isolate those who hide in the shadows of the Internet to conduct malicious cyber activities that threaten the national security, foreign policy, or economic health or financial stability of the United States.” The announcement follows earlier measures made by the White House to combat against cyber attacks, including the creation of a new federal agency to facilitate the sharing of information about potential threats.
FFIEC Releases Statements on How Financial Institutions Can Identify and Mitigate Cyber Attacks
On March 30, the FFIEC announced two separate statements regarding cyber attacks at financial institutions: Statement on Destructive Malware and Statement on Compromising Credentials. The statements come in light of the growing number of attacks within the past two years and outline how financial institutions can ensure that the risk management processes and business continuity planning in place are sufficient for mitigating attacks and recovering from attacks that do occur. Noting the FFIEC’s existing guidelines for financial institutions, the report includes, but is not limited to, reminders to do the following: (i) securely configure systems and services; (ii) improve information security awareness and training programs; (iii) protect against unauthorized access to systems; (iv) participate in information-sharing forums; and (v) continually conduct information security risk assessments.
FTC Creates New Office To Investigate Consumer Technologies
On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.
Treasury Deputy Secretary Raskin Delivers Remarks On Cyber Security
On March 25, Department of the Treasury’s Deputy Secretary Raskin delivered remarks regarding the agency’s efforts to enhance cybersecurity as the number of cyber-attacks continue to increase. Raskin outlined three specific areas where financial institutions can better prepare for cyber threats and enhance “cyber resilience” in the event of a cyberattack: (i) increase information sharing among financial institutions, thereby making this a priority for the financial sector worldwide; (ii) ensure that safeguards are in place for all third-party vendors with access to the financial institution’s data and systems; and (iii) design a cyber-preparedness “playbook” that has a “detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery and time costs, and instill confidence in outside stakeholders and the public.”
FFIEC Provides Overview of Cybersecurity Priorities
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.
Large Retailer Agrees to Pay $10 Million Related to Data Breach Incident
On March 19, a district court granted preliminary approval in which a large retailer agreed to pay $10 million to settle a class-action action suit related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. Under the proposed settlement, the retailer will deposit the settlement amount into escrow to pay individual victims up to $10,000 in damages. In addition, the proposed settlement requires the retailer to (i) maintain a written information security program and (ii) appoint a Chief Information Security Officer. The proposed settlement is pending court approval.
Financial Institutions File Class Action Suit In Response to Data Breach
On March 13, a federal credit union filed a class action suit against a national retailer and parent company, alleging their actions during a September 2014 data breach injured credit unions, banks, and other financial institutions. Greater Chautauqua FCU v. Kmart Corp and Sears Holdings Corp., No. 15-cv-2228, (N.D.Ill. Mar.13,2015) The complaint contends that financial institutions (i) were required to, among other things, refund fraudulent charges, respond to a higher volume of customer complaints, and increase fraud monitoring efforts, and (ii) lost revenue due to a decrease in card usage after the breach was disclosed. The complaint alleges that the retailer failed to maintain adequate data security under applicable payment card industry standards, particularly in the wake of well-publicized data breaches at other retailers by third parties using similar techniques and malicious software. Moreover, the retailer failed to detect or notify customers for a period of at least five weeks. The complaint was filed in US District Court for the Northern District of Illinois, and alleges damages in excess of $5,000,000 for violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Business Act, and New York General Business Law, as well as negligence, and negligent misrepresentation and/or omission.