Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Payment Network Providers Seek Collaboration On Digital Payment Standard

    Fintech

    On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.

    Payment Systems Mobile Commerce Mobile Payment Systems Privacy/Cyber Risk & Data Security

  • Federal Agencies Issue Guidance On Reporting Elder Financial Abuse Under Gramm-Leach-Bliley

    Privacy, Cyber Risk & Data Security

    On September 23, eight federal agencies, including the Federal Reserve Board, the CFPB, the OCC, and the FDIC, issued interagency guidance to clarify the applicability of Gramm-Leach Bliley Act privacy provisions to reporting suspected financial exploitation of older adults. The guidance states that although the Act generally prohibits a financial institution from disclosing nonpublic personal information about a consumer to any nonaffiliated third party without notifying the consumer and providing an opportunity to opt-out of the disclosure, the Act contains several exemptions that generally allow for the reporting of suspected elder financial abuse, either at the request of a local, state, or federal agency or on the financial institution’s own initiative.

    FDIC CFPB Federal Reserve OCC Gramm-Leach-Bliley Seniors Privacy/Cyber Risk & Data Security Elder Financial Exploitation

  • Senator Expands Data Broker Investigation

    Privacy, Cyber Risk & Data Security

    On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.

    FTC U.S. Senate U.S. House Data Collection / Aggregation Privacy/Cyber Risk & Data Security

  • California Enacts Children's Online Privacy Legislation

    Privacy, Cyber Risk & Data Security

    On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.

    Mobile Commerce Privacy/Cyber Risk & Data Security

  • Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses

    Privacy, Cyber Risk & Data Security

    On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.

    OCC FFIEC Privacy/Cyber Risk & Data Security

  • OECD Revises Privacy Guidelines

    Privacy, Cyber Risk & Data Security

    Recently, the Organization for Economic Cooperation and Development (OECD) released updates to its privacy guidelines, with a focus on (i) practical implementation of privacy protection through risk management, and (ii) addressing the global dimension of privacy through improved interoperability. The revised guidelines, which the OECD describes as the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles, incorporate new concepts related to (i) national privacy strategies, (ii) privacy management programs, and (iii) data security breach notification. The new guidelines also reflect the organization’s modern views with regard to trans-border data flows, organizational accountability, and privacy enforcement.

    Privacy/Cyber Risk & Data Security

  • FTC Announces First "Internet of Things" Settlement

    Privacy, Cyber Risk & Data Security

    On September 4, the FTC announced its first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – what the FTC refers to as the “Internet of Things.” The company, which markets video cameras designed to allow consumers to monitor their homes remotely, agreed to settle the FTC’s allegation that its security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. The FTC claimed that the company marketed its products as “secure” when, according to the FTC, they had faulty software that potentially allowed for online viewing and listening. The company resolved the complaint without paying a penalty, but agreed to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The agreement also requires the company to obtain third-party assessments of its security programs every two years for the next 20 years, and prohibits the company from (i) misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit and (ii) misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit. The FTC is planning an “Internet of Things” workshop for later this year.

    FTC Privacy/Cyber Risk & Data Security

  • NIST Releases Draft Cybersecurity Framework

    Privacy, Cyber Risk & Data Security

    Recently, the National Institute of Standards and Technology (NIST) released a discussion draft of its preliminary cybersecurity framework. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The discussion draft framework provides a uniform guide for developing robust cybersecurity programs for organizations. It provides a common structure for managing cybersecurity risk, is intended to help organizations identify and understand their dependencies on business partners, vendors, and suppliers, and is designed to facilitate coordination of cybersecurity risk within industries. The Framework places cybersecurity activities into five functions – identify, protect, detect, respond, and recover – and urges organizations to implement capabilities in each area. NIST released the draft in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. It also is accepting comments via email.

    NIST Privacy/Cyber Risk & Data Security

  • Fifth Circuit Restores Negligence Claim in Data Breach Case

    Fintech

    On September 2, the U.S. Court of Appeals for the Fifth Circuit restored a group of financial institutions’ negligence claim against a payment processor in Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013). The restored claim relates to a 2008 data breach of a payment processor’s systems that exposed 130 million credit card numbers to cyberthieves. As a result of the breach, the institutions incurred costs to replace consumers’ compromised credit cards and to refund fraudulent charges. The ruling reversed the district court, which held that New Jersey’s economic loss doctrine barred the institutions’ negligence claim and limited them to seeking contractual remedies from the payment processor. The Fifth Circuit ruled that negligence claims for such losses are permitted where, as here, there is a distinguishable class of plaintiffs who are owed a duty and the defendant is not exposed to boundless liability.

    Credit Cards Privacy/Cyber Risk & Data Security

  • Federal District Court Grants FTC Request, Halts Online Payday Operation

    Fintech

    On August 29, the U.S. District Court for the Northern District of Illinois ordered an online payday loan operation to cease business activities and freeze assets in response to a complaint and memorandum filed by the FTC on August 27. Federal Trade Commission v. Caprice Marketing, LLC, No. 13-cv-6072 (N. Dist. Ill. Aug. 29, 2013). The FTC alleges that the defendants obtained sensitive personal and financial information from consumers by falsely representing that such information would be used to match consumers with payday lenders but instead used the information to make unauthorized withdrawals from consumer accounts.

    Privacy/Cyber Risk & Data Security

Pages

Upcoming Events