InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
President Obama Proposes New Data Privacy Legislation
On January 12, President Obama announced new privacy initiatives to combat identity theft, enhance consumer security, and improve data privacy online and in the classroom. His main legislative proposals call for (i) a Personal Data Notification & Protection Act, which would specify the obligations that companies have when a consumer’s personal information has been exposed, establish a 30-day notification requirement following a company’s discovery of a data breach, and criminalize illicit overseas trade in identities; (ii) a Consumer Privacy Bill of Rights; and (iii) increased protections for data collected from students. The President called for Congressional support, saying privacy is not a partisan issue.
President Obama Announces New Cybersecurity Proposals
On January 13, President Obama visited the National Cybersecurity and Communications Integration Center to announce a variety of legislative and administrative proposals, many of which were updates to his 2011 Cybersecurity Legislative Proposal, designed to confront cybersecurity threats. These updated proposals, he stated, would promote better cybersecurity information sharing between the government and the private sector and enhance collaboration and information sharing within the private sector. To encourage and facilitate such sharing, private companies that share cyber threat information while conforming to privacy protection requirements would receive liability protection. In addition, the President asked that law enforcement be given better tools and authority to fight cybercrime. These tools would include measures that criminalize the overseas sale of stolen financial information like credit card and bank account numbers, updates to the Racketeering Influenced Corrupt Organizations Act that would apply it to cybercrimes, and reforms to the Computer Fraud and Abuse Act to ensure that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information by using it for their own purposes. In addition, the President announced a White House Summit on Cybersecurity and Consumer Protection, to be held at Stanford University on February 13, 2015.
SEC Announces 2015 Examination Priorities
On January 13, the SEC announced its Office of Compliance Inspections and Examinations’ examination priorities for 2015. The examination priorities cover a wide range of financial institutions and focus on three areas: (i) protecting retail investors, especially those saving for or in retirement; (ii) assessing market-wide risks, including cybersecurity compliance and controls; and, (iii) using data analytics to identify signals of potential illegal activity. As to the risks to retail investors, the SEC noted that such investors are being sold products and services that were formerly characterized as alternative or institutional, including private funds, illiquid investments, and structured products. In addition, financial services firms are offering information, advice, products, and services to help retail investors plan for retirement. The SEC intends to assess the risks to retail investors that can arise from these trends.
NY AG Plans to Propose Bill that would Strengthen Data Security and Consumer Protection Laws
On January 15, New York AG Eric Schneiderman announced that he intends to propose legislation that would “overhaul New York State’s data security law and require new and unprecedented safeguards for the personal data of consumers.” Specifically, the bill would (i) make companies responsible for protecting a broader range of information by expanding the definition of “private information;” (ii) require better data security measures for entities that collect and/or store private information; and (iii) create a safe harbor for companies that would shield them from liability if they adopt heightened security practices. In addition, the proposal would incentivize companies to share forensic data with authorities in the event of a data breach by ensuring that disclosure does not affect the company’s privileges. The proposed legislation follows New York AG’s release of a July 2014 report, which examined the growing number of data breaches occurring within the state. Schneiderman expects the new law to be “the strongest, most comprehensive in the nation… [making] [New York] a national model for data privacy and security.”
Software Company Releases New E-Signature Product
On January 8, Kofax Limited, a California-based software company, released SignDoc Enterprise, a product that allows lenders to capture and process electronic signatures. The software gives consumers the ability to sign and return documents securely from their personal computer or mobile device. The software also supports "click to sign" and handwritten signatures, and can capture biometrics at the time of signing for greater security and authentication.
National Institute of Standards and Technology Publishes New Guidance on Privacy Controls
On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.
Congress Passes Bill Clarifying Homeland Security's Role in Fighting Cyberthreats
On December 10, the U.S. Senate passed by voice vote S. 2519, the National Cybersecurity and Communications Integration Center Act of 2014. The bill would amend the Homeland Security Act of 2002 (12 U.S.C. § 121 et seq.) by codifying the current operations center in the Department of Homeland Security, which serves as a federal civilian information sharing interface for cybersecurity on behalf of the Homeland Security’s Under Secretary. The information center oversees cross-sector coordination of shared information related to cybersecurity risk and incidents that could adversely impact multiple private sectors. In addition, the bill prescribes the composition of the information center and requires it file yearly status reports. The bill will be submitted to the President for approval and signature.
NY DFS Advises Banks On New Cybersecurity Examination Process
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.
Massachusetts Fines Bank for Data Breach
On December 8, a large bank settled with the state of Massachusetts for $825,000 over a data breach that exposed the personal information of at least 260,000 customers. In March 2012, the bank allegedly lost unencrypted backup tapes with customer information and failed to report the missing tapes until October 2012. According to the Massachusetts AG, the bank violated state law by failing to (i) sufficiently protect information; and (ii) provide timely notification of the data breach. In the settlement agreement, Massachusetts credited the bank with $200,000 to upgrade its security procedures, while $325,000 will be paid in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a consumer aid education fund.
Treasury Official Urges Banks to Consider Cyber Insurance, Assess Cybersecurity Readiness
On December 3, Deputy Secretary Raskin delivered remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference. During her prepared remarks, Raskin noted recent data security breaches across many business sectors, including financial services, and presented ten questions for bank CEOs to consider when assessing their institutions’ cybersecurity readiness. Notably, Raskin urged the bank executives to consider relatively new cyber risk insurance for the financial recovery it provides because the underwriting processes could enhance other cybersecurity controls and provide helpful information for assessing a bank’s risk level. Currently, over 50 insurance carriers offer some form of cyber insurance coverage. Raskin’s remarks come only weeks after Congressional leaders sent a letter to financial institutions requesting that they provide information about their ability to protect consumers and safeguard personal information in the event of a data breach or cyber-attack.