InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC Issues Semiannual Risk Report, Highlights Cyber Security and Anti-Money Laundering Risk
On June 18, the OCC released its Semiannual Risk Perspective, which assesses risks facing national banks and federal savings associations with regard to: (i) the operating environment, (ii) condition and performance of the banking system, (iii) funding, liquidity, and interest rate risk, and (iv) regulatory actions. Among the many issues reviewed in the report, the OCC noted that cyber threats continue to grow in sophistication and require heightened awareness and appropriate resources to identify and mitigate the associated risks. It also stated that BSA/AML threats are increasing as a result of changing methods of money laundering and an increase in the volume and sophistication of electronic banking fraud, while compliance programs are failing to evolve or incorporate appropriate controls into new products and services.
FTC Chairwoman Announces Senior Personnel Changes
On June 17, FTC Chairwoman Edith Ramirez named several senior staff members, including Jessica Rich as Director of the Bureau of Consumer Protection. Ms. Rich has been with the FTC for more than 20 years and most recently served as Associate Director of the Division of Financial Practices. Prior to that, Ms. Rich was a Deputy Director of the Bureau and has served as the Acting Associate Director and Assistant Director of the Bureau’s Division of Privacy and Identity Protection, among numerous other positions. Ms. Ramirez also named Jonathan E. Nuechterlein as General Counsel. He joins the agency from a large law firm, where he was a partner and chair of the firm’s communications, privacy, and Internet law practice group. He previously was Deputy General Counsel for the FCC and an Assistant to the Solicitor General at the U.S. Department of Justice.
Texas Enacts Stringent Email Privacy Bill
On June 14, Texas enacted HB 2268, which amends current state law relating to “search warrants issued in [that] state and other states for certain customer data, communications, and other related information held in electronic storage” by “electronic communications services and remote computing services” providers. Among other things, the bill requires law enforcement to obtain a warrant to search emails, regardless of the age of the emails. The requirement exceeds the privacy protections granted by the federal Electronic Communications Privacy Act, which allows warrantless searches of emails left unopened for 180 days.
OCC Publishes Community Bank Best Practices Booklet, Holds Webinar on Community Bank Cyber Threats
On June 13, the OCC published a booklet titled “A Common Sense Approach to Community Banking,” which offers best practices the agency believes distinguish high-performing community banks from those that barely survive or fail. The booklet, which previously was distributed to national banks and federal thrifts and now is available on the OCC’s website, focuses on three interrelated areas: (i) risk assessment and management, (ii) strategic planning, and (iii) capital planning. Earlier in the week, the OCC hosted a webinar on cyber threats and vulnerabilities to raise awareness for community banks, and provided a collection of existing regulatory guidance that addresses actions banks should take to help mitigate the risks associated with information security.
FTC Revises Red Flags Identity Theft Rule Business Guide
On June 12, the FTC issued revised guidance to help firms comply with its Red Flags Rule, which requires covered firms to monitor for and respond to certain “red flag” warnings of customer identify theft. The updated guide reflects changes made to the rule last year to more narrowly define the types of creditor subject to the rule.
NIST Seeks Comments on Cloud Computing Security Document
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.
Federal Court Holds Opened Emails Not Protected By Stored Communications Act
On June 5, the U.S. District Court for the Northern District of Ohio held that emails the intended recipient opened but did not delete were not covered by the Stored Communications Act because they were not being kept for the purposes of backup protection. Lazette v. Kulmatycki, No. 12-02416, 2013 WL 2455937 (N.D. Ohio Jun. 5, 2013). In this case, an individual alleged, among other things, that her former employer and supervisor violated the Stored Communications Act when the supervisor read numerous emails in the employees personal email account, which the supervisor accessed through the employer-issued mobile device the employee surrendered upon leaving the company. Some of these emails previously had been opened by the intended recipient, while others had not. The court held that emails in the personal account that had been opened first by the intended recipient but not deleted were not in “backup” status or “electronic storage” as those terms are defined in the SCA. The court granted the employer’s motion to dismiss with regard to such previously opened emails. The court declined to dismiss the intended recipient’s claim with respect to the emails which were first opened by the supervisor. The court rejected several other of the employer’s SCA-related arguments, holding that (i) the SCA was not designed only to apply to computer hackers and generally does apply to the supervisor’s actions, (ii) the mobile device was not the “facility” under the SCA, rather the server for the personal email service was the facility, and (iii) the employee did not implicitly consent to having her emails read by not deleting or logging out of the personal account before surrendering the employer-issued mobile device.
FFIEC Creates Cyber Security Working Group
On June 6, the Federal Financial Institutions Examination Council (FFIEC) announced the formation of a working group to further promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues.
Federal District Court Holds Phone Number Provided in Online Account Information Is Consent to Receive Text Messages
On May 30, the U.S. District Court for the Northern District of California held that a user of an online service consented to receiving text messages from that service by including his mobile number in his online account information. Roberts v. PayPal, Inc., No. 12-622, 2013 WL 2384242 (N.D. Cal. May 30, 2013). In this case, a PayPal user filed a putative class action claiming that the company sent unsolicited advertisements via text messages to users’ mobile phones in violation of the Telephone Consumer Protection Act, which generally prohibits unsolicited calls and messages using automatic dialing or prerecorded voices absent express written consent. The court granted summary judgment to PayPal, holding that, by providing his mobile phone number to PayPal when he added the number to his online account, the user provided express consent for PayPal to send text messages. The court did not resolve PayPal’s alternative argument that the user consented to receiving messages by accepting the terms of PayPal’s user agreement, which included an express consent to receive autodialed calls. That provision was not included in the agreement at the time the user created his PayPal account and accepted the user agreement, but was added several years later without notice to the user. The court expressed skepticism concerning the binding nature of an agreement amendment that is merely posted to a website without other notice to the customer, even if the customer has previously agreed to the terms and that procedure.
New York Investigates Insurance Companies' Cyber Security
On May 28, New York Governor Andrew Cuomo announced an inquiry into the measures employed by insurance companies to protect their customers and companies from cyber threats. The state’s Department of Financial Services sent letters to 31 insurers seeking an array of information, including information about (i) any cyber attacks the company has been subject to in the past three years; (ii) the cyber security safeguards the company has put in place; (iii) the company’s information technology management policies; (iv) the amount of funds and other resources dedicated to cyber security at their company; and (v) the company’s governance and internal control policies related to cyber security. The governor explained that the state already is focused on ensuring that banks have appropriate protections in place, but that insurers also should be scrutinized because the “extraordinarily sensitive health, personal, and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers.”