InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
GAO Report On CFPB Data Collection And Privacy Practices Finds Room For Improvement
On September 22, the GAO issued a report regarding the privacy and data security implications of the CFPB’s data collection practices. The report, performed in part based on a request by Senator Crapo, notes the CFPB’s data includes three one-time collections of data that contain information that directly identifies individuals: arbitration case records, deposit account data regarding deposit advance products, and borrower-level activity regarding storefront payday loans. The report highlights several areas for improvement: (i) development of written procedures and documentation regarding data intake and information security risk assessments; (ii) implementation of privacy control steps and information security practices; and (iii) Paperwork Reduction Act compliance regarding credit card data. In a comment appended to the report, the CFPB outlines the reasons for its data collection efforts and concurs with the GAO’s recommendations addressed to the CFPB.
FFIEC Announces Cybersecurity Preparedness Efforts
The Federal Financial Institutions Examination Council (FFIEC) recently announced a series of initiatives aimed at promoting cybersecurity preparedness for community financial institutions throughout the country. One such initiative is the creation of the Cybersecurity and Critical Infrastructure Working Group, which was launched in June 2013 in order to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. This announcement follows the FFIEC’s May 2013 press release that highlighted an emphasis on cybersecurity awareness. The FFIEC press release described a webinar that the FFIEC provided to 5,000 chief executive officers and senior managers from community financial institutions to raise awareness about the pervasiveness of cyber threats, and introduce new vulnerability and risk-mitigation assessments and regulatory self-assessments of supervisory policies and processes.
Delaware Enacts Law Governing Access To Digital Records After Death
On August 12, Delaware Governor Jack A. Markell signed the Digital Access and Digital Accounts Act, the first law in the nation to comprehensively govern access to a person’s digital assets, including social media and email accounts, after the person dies or becomes incapacitated. Under the new law, a Delaware resident’s digital assets will become part of his or her estate after death, and these assets will be accessible to heirs to the same extent as the deceased person’s physical, tangible assets. Digital assets are defined broadly to include data, texts, email, audio, video, images, sounds, social media and social networking content, health care and insurance records, computer codes and programs, software and software licenses, and databases, along with usernames and passwords. The law expressly does not apply to digital accounts of an employer regularly used by an employee in the usual course of business. The law requires any company that controls a person’s digital assets to give the legal fiduciary for the deceased’s estate the usernames, passwords, and any other information needed to gain access to the digital assets upon a valid written request. Any contrary provisions in service agreements or privacy policies that limit a fiduciary's access to digital accounts are void, although the account owner can specify that the account should remain private after death. The law also grants the company controlling the digit assets immunity for complying with valid requests for account access. The new law takes effect January 1, 2015.
Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach
On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.
FTC Finalizes Mobile Application Privacy Settlements
On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.
FTC Reports Mobile Shopping App Consumer Disclosures Are Insufficient
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
Payment Cards Security Standards Organization Publishes Third-Party Security Assurance Guidance
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
ANSI Seeks Participants For Technical Committee On Security
On June 25, the American National Standards Institute (ANSI) issued a call for organizations with an interest in security to participate in an advisory committee to a new International Organization for Standardization (ISO) technical committee. The ISO is planning to restructure its security sector to consolidate the work of three existing technical committees—Societal security; Fraud countermeasures and controls; and Management system for quality of private security company operations. The new committee will begin work on January 1, 2015 and will cover standardization in the field of security including but not limited to general security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, and homeland security. Organizations interested in participating in the advisory committee must contact ANSI by July 4, 2014.
Florida Strengthens Data Breach Law
On June 20, Florida Governor Rick Scott signed SB 1524, which significantly revises and strengthens the state’s data breach notice law, making it among the toughest in the country. The bill shortens the timeline for providing notice of a data breach to require notice to consumers within 30 days of the “determination of a breach.” The bill also adds a parallel requirement to notify the state attorney general’s office for an incident affecting more than 500 state residents. The bill also provides that consumer notice by email will no longer require an E-SIGN consent. The new law clarifies the application of data breach requirements by amending the definition of “covered entity” to mean “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.” The bill also expands the definition of “personal information” to add, as was done in California last year, user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. The bill requires covered entities to take reasonable measures to (i) protect and secure data in electronic form containing personal information and (ii) dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Finally, the bill revised the risk of harm provision in two noteworthy ways: (i) like Connecticut and Alaska, law enforcement must be consulted to employ the exemption to noticeand (ii) the exemption appears to cover only consumer notice, not AG notice. The changes take effect July 1, 2014.
OCC Report Highlights Cybersecurity, BSA-AML, Indirect Auto Underwriting Concerns
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.