InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ Announces Formation of Cybersecurity Unit In Efforts to Prevent Cybercrime
On December 4, Assistant AG Leslie Caldwell delivered remarks at the Cybercrime 2020 Symposium regarding the DOJ’s recent efforts to fight cybercrime. Specifically, Caldwell noted the DOJ’s Criminal Division is (i) increasing its international law enforcement operations; and (ii) creating a committed Cybersecurity Unit to address the growing threat of cybercrime. The Cybersecurity Unit will take on the responsibility of enhancing the DOJ’s public and private security efforts, most notably by working with law enforcement to ensure that “legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks.”
Minnesota Federal Judge Allows Data Breach Suit Against Target to Proceed
On December 2, District Judge Paul Magnuson denied Target’s motion to dismiss the class action suit brought by banks in response to its 2013 data breach. In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (D. Minn., Dec. 2, 2014). The banks have alleged four claims against Target: (i) a general negligence claim that Target breached its duty to provide security and prevent the data breach; (ii) that Target violated Minnesota’s Plastic Security Card Act (PSCA) by retaining customer data which was subsequently stolen; (iii) that a violation of the PSCA is negligence per se; and (iv) a negligent misrepresentation by omission claim that Target made public statements regarding the strength of their data security system when they knew or should have known it was deficient. The first three were allowed to proceed and the last was dismissed with leave to amend the complaint for a failure to allege the requisite reliance upon Target’s assertion of its secure system. Notably, Judge Magnuson found that the PSCA applies to all transactions completed by a company operating in Minnesota, not just transactions occurring within the state.
Trade Associations Submit Letter to Congress regarding Cybersecurity Information Sharing
On December 3, the Merchant and Financial Associations Cybersecurity Partnership (“Partnership”) submitted a letter to Congress requesting its consideration of adopting cybersecurity information sharing legislation. Created in February in response to high profile security breaches, the Partnership aims to protect retailers and financial institutions against cyber attacks. In its letter, the Partnership suggests that Congress adopt legislation that would “increase the current level of voluntary cybersecurity information sharing, while recognizing and responding to key privacy concerns.”
Congressional Leaders Send Letters to Financial Service Providers Regarding Data Breaches
On November 18, Representative Elijah Cummings (D-MD) and Senator Elizabeth Warren (D-MA) sent letters to 16 financial service institutions regarding recent data breaches. The letters requested that the institutions provide information about the data breaches, including “detailed briefings from corporate IT security officers.” The letters were tailored to the specific institutions, with requests to two companies that they provide information on how the “potential data breaches may have affected their administration of government purchase and charge cards under contracts with the General Services Administration.” The letters also remind the institutions of their responsibility to protect and safeguard consumers’ personal information.
FFIEC Recommends Financial Institutions Join Information Sharing Forum to Mitigate Cyber Risks
On November 3, the FFIEC released its observations from a cybersecurity assessment of more than 500 institutions, and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a medium to “identify, respond to, and mitigate cybersecurity threats and vulnerabilities.” The FS-ISAC is a non-profit information sharing forum created by industry participants to share physical and cybersecurity threat information within the public and private sector. The assessment supplemented regularly scheduled bank examinations and built upon supervisory expectations contained within existing FFIEC information technology guidance.
Payment Industry Council Issues Best Practices For Security Awareness
Recently, the Payment Card Industry (PCI) Security Standards Council published guidance to help organizations strengthen their security awareness. The guidance, developed by retailers, banks, and technology providers, details three recommendations for implementing a security awareness program: (i) Assembling a security awareness team, (ii) Developing appropriate security awareness content for your organization, and (iii) Creating a security awareness checklist. The PCI Security Standards Council is an open global forum comprised of more than 650 organizations, including banks, merchants, processors, and vendors, responsible for the development, management, education, awareness, and standards to increase payment data security.
FCC Joins Global Privacy Enforcement Network
On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
CFPB Finalizes Rule To Limit Relief From Annual Privacy Notice Delivery Requirements
On October 20, the CFPB finalized its amendment to Regulation P, which requires that financial institutions meet specific consumer data-sharing requirements, including the delivery of annual privacy notices. Under the new rule, bank and nonbank institutions under the CFPB’s jurisdiction will now be allowed to post privacy notices online, rather than deliver an annual paper copy. Institutions that choose to post notices online must meet certain conditions, including (i) providing notice to consumers if the institution shares any data to third parties, in addition to providing an opportunity to opt out of such sharing; and, (ii) using the 2009 model disclosure form developed by federal regulatory agencies. The institutions that choose to rely on the new delivery method must (i) ensure that customers are aware of the notices posted online; (ii) provide paper copies within ten days of a customer’s request; and, (iii) make customers aware that the privacy notice(s) are available online—and that a paper copy will be provided at the customer’s request—by inserting a “clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure.” As outlined when the proposed rule was issued in May, the CFPB anticipates that the rule will: (i) provide consumers with constant access to privacy notices; (ii) limit the amount of an institution’s data sharing with third parties; (iii) educate consumers on the various types of privacy policies available to them; and, (iv) reduce the cost for companies to provide privacy notices.
New York Attorney General's Office Settles With Large Financial Institution
On October 15, the New York Attorney General’s office announced a settlement with a large financial institution in connection with a 2012 data breach. Of the $850,000 settlement agreement, New York State will receive over $114,000. The terms of the settlement require that the bank reform its former security practices, which caused over one million customer files to be compromised. Specifically, in 2012, the bank lost over one million unencrypted files that contained personal information for over 200,000 customers nationwide. Going forward, the bank must (i) notify state residents of security breaches in a timely manner; and (ii) maintain security policies that will protect personal information.
House Committee On Oversight And Government Reform Request Hearing Regarding Data Security Breach
On October 7, Elijah Cummings, the Ranking Member of the House Committee on Oversight and Government Reform, issued a letter asking committee Chairman Darrell Issa to hold a bipartisan hearing to examine a recent data security breach at a major U.S. financial institution. The breach is believed to have affected approximately 76 million households, in addition to 7 million small businesses. In his letter, Cummings told Issa that he believes an investigation into the breach “will help the Committee learn from [corporations] about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” This is not the first time Cummings has asked Chairman Issa to hold hearings on the issue of data security. Cummings previously called for hearings on the issue in January and September of this year. To date, Chairman Issa has not responded to Cummings’s requests.