InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Visa, MasterCard Announce Payment Security Working Group
On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
FTC Announces International Privacy Initiatives
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.
State Banking Associations Object To Senators' Request For Increased Bank Payment System Security Oversight
On March 5, 53 state bankers associations sent a letter to Federal Reserve Board Chair Janet Yellen defending banks’ efforts to secure consumer financial data and highlighting the responsibilities of other parties, in particular merchants, to do the same. The banking associations, representing bankers in every state and Puerto Rico, took issue with a letter Democratic Senators Dick Durbin (D-IL) and Al Franken (D-MN) sent last month to the Federal Reserve Board Chair seeking information about the Board’s oversight of card issuers’ fraud prevention policies and recommending that the Board do more to verify the effectiveness of such policies. The banking associations contend that the Senators’ letter is a “thinly veiled effort to once again advance the regulation of interchange under the guise of current concerns over data security,” and criticize the Senators for converting a discussion about security responsibilities into one about interchange fees.
SEC Announces Cybersecurity Roundtable
On February 14, the SEC announced that it will host a roundtable on March 26, 2014, to discuss cybersecurity challenges for market participants and public companies. The roundtable will be held at the SEC’s Washington, D.C. headquarters and will be open to the public and webcast live on the SEC’s website.
Federal Reserve Board Proposes To Repeal Duplicative Regulations Amend Identity Theft Red Flags Rule
On February 12, the Federal Reserve Board proposed to repeal its Regulation DD, which implements the TISA, and Regulation P, which implements Section 504 of the GLBA because the Dodd-Frank Act transferred rulemaking authority for those laws to the CFPB, and the CFPB has already issued interim final rules implementing them. The Board also proposed to amend the definition of “creditor” in its Identity Theft Red Flags rule, which implements Section 615 of the FCRA. Generally, the Indemnity Theft Red Flags rule requires each financial institution and creditor that holds any consumer account to develop and implement an identity theft prevention program. The proposed revision will exclude from the foregoing requirements businesses that do not regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person. The Board will accept comments on the proposal for 60 days from publication in the Federal Register.
NIST Releases Final Cybersecurity Framework
On February 12, the Obama Administration released the Cybersecurity Framework prepared by NIST, as called for by Executive Order 13636 issued by President Obama one year ago. The Framework organizes best practices regarding cyber risks into three components—the Framework Core, Profiles and Tiers—each of which “reinforces the connection between business drivers and cybersecurity activities.” The Framework Core component is described as a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped into five functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level view of an organization’s management of cyber risks. The second component, Profiles, is designed to assist organizations in aligning their cybersecurity activities with business requirements, risk tolerances, and resources. Finally, the Tiers component provides a mechanism for organizations to view their approach and processes for managing cyber risk. The Department of Homeland Security has established a voluntary program intended to increase awareness and use of the Framework to help organizations of all sizes manage cybersecurity risks and improve security and resilience of critical infrastructure. NIST hopes the Framework will serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. NIST will continue to update and improve the Framework as the industry provides feedback on implementation. NIST also issued a Roadmap that discusses its next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.
House Committee Approves Cybersecurity Bill
On February 5, the House Homeland Security Committee unanimously approved H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (the NCCIP). The NCCIP builds on many of the ideas set forth in the February 2013 Presidential Executive Order on cybersecurity. The bill seeks to enhance cybersecurity readiness in governmental and private institutions, in part, by facilitating information sharing and a “public-private collaboration” between government agencies and “critical infrastructure owners” and by promoting “cross-sector coordination and sharing of threat information” through NIST. The bill directs NIST to develop voluntary best practices that include individual privacy and civil liberty protections. The NCCIP also amends the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) to provide liability protections for those selling or providing agency-approved cybersecurity technology to customers.
FTC Announces Settlement Over Alleged Violations Of International Safe Harbor Privacy Framework
On February 11, the FTC announced a settlement to resolve allegations that a children’s online entertainment company falsely claimed it was abiding by the U.S.-EU Safe Harbor international privacy framework. The FTC alleged that the company deceptively claimed through statements in its privacy policy that it held current certifications under the Safe Harbor Framework even though it had allowed its certification to lapse. The FTC did not allege that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws. The proposed settlement agreement, which is subject to public comment, would prohibit the company from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The action follows a dozen similar actions recently announced by the FTC.
Congressional Committees Review Data Breaches, Potential Federal Responses
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
Senate Commerce Committee Expands Data Broker Inquiry
On February 3, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) again expanded his investigation of data brokers when he asked six brokers for information on the compilation and sale of products that identify consumers based on their financial vulnerability or health status. The issue was raised recently in a majority staff report, which was released in connection with a December 2013 committee hearing. The Chairman cited “serious concerns regarding the sale and dissemination of lists identifying a consumer’s fragile health or financial circumstances without the consumer’s knowledge or permission,” which Mr. Rockefeller believes can be used by businesses seeking to target vulnerable customers for financially risky lending products or fraud schemes. The Chairman seeks a broad range of information about the companies’ data collection and sales practices conducted over a five year period. The letters are the latest in an ongoing review by the Committee, which previously expanded the scope of the review in September 2013.