InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST Revamps Core Computer Security Guide
On April 30, the National Institute of Standards and Technology (NIST) published a substantially revised version of its Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” the government’s core computer security guide. Although developed for use by federal agencies, the NIST Special Publication is widely used in the private sector. The revisions are the most extensive since the document first was published in 2005 and is meant to address evolving and emerging cyber security threats. For example, the new guide incorporates issues specific to (i) mobile and cloud computing, (ii) insider threats, (iii) applications security, (iv) supply chain risks, (v) advanced persistent threats, and (vi) trustworthiness, assurance, and resilience of information systems. It is sector-specific to allow organizations greater flexibility in building information security systems, and also provides for the first time a privacy controls catalog.
Senators Raise Concerns about CFPB's Data Collection
On April 23, the Senate Banking Committee held a hearing during which CFPB Director Richard Cordray testified on the CFPB’s semiannual report to Congress. A substantial portion of the hearing focused on the CFPB’s collection and use of data. Republican committee members led by Ranking Member Mike Crapo (R-ID) criticized the CFPB’s data collection efforts and its developing ability to “watch” consumers, and questioned the CFPB’s legal authority to collect data that could be reverse engineered to connect with specific consumers. Mr. Cordray explained that “big data” is the cutting edge of research in every field and that the CFPB needs to keep pace with financial institutions. According to Mr. Cordray (i) the CFPB’s data are not connected to individuals (aside from complaint data) and are “anonymized”, (ii) much of the data come commercial resources already accessible to firms, (iii) the CFPB obtains certain data from the same sources other regulators have in the past, and (iv) all of the data are essential to the CFPB’s ability to carry out its congressionally mandated work, including rulewriting, reporting to Congress, and undertaking other studies. The hearing also covered numerous other topics including (i) the impact of CFPB’s mortgage rules on small institutions, (ii) the CFPB’s collection and assessment of consumer complaints, (iii) coordination of examinations and information requests among federal and state regulators, and (iv) the status of the CFPB’s arbitration study, portions of which the CFPB may release this year.
FTC Updates COPPA FAQs
On April 25, the FTC issued updated FAQs on the recently amended Children’s Online Privacy Protection Act Rule. The FAQs provide supplemental guidance designed to help website operators, mobile application developers, plug-ins and advertising networks operating on child-directed websites and online services prepare for the amended regulations, which take effect on July 1, 2013.
FTC Seeks Input on Privacy, Security Implications of Connected Consumer Devices
On April 17, the FTC requested input on the consumer privacy and security issues posed by the connectivity of consumer devices in advance of a public workshop to be held on November 21, 2013. The request notes that connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties. While advances in connected devices provide consumer benefits, greater connectivity also poses privacy and security risks. The FTC seeks comment on (i) the significant developments in services and products that make use of this connectivity, (ii) the technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections), (iii) the current and future uses of smart technology, (iv) consumer benefits, (v) privacy and security concerns, and (vi) how privacy risks should be weighed against potential societal benefits. The FTC is accepting comments through June 1, 2013.
SEC Approves Final Investor Privacy Rule
On April 10, the SEC voted unanimously to adopt a final rule requiring broker-dealers, mutual funds, investment advisers, and other regulated entities to implement programs designed to detect and prevent identity theft. The final rule applies to SEC-regulated entities that meet the definition of “financial institution” or “creditor” under the FCRA. The final rule will take effect 30 days after publication in the Federal Register and give covered firms six months from the effective date to comply. Under the final rule, covered firms must establish policies and procedures designed to (i) identify relevant types of identity theft red flags, (ii) detect the occurrence of those red flags, (iii) respond appropriately to the detected red flags, and (iv) periodically update the identity theft program. The rule requires covered firms to provide staff training and oversight of service providers, and provides guidelines and examples of red flags to help firms administer their programs. Further, the rule requires covered firms that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new card soon after notification of a change of address for a consumer’s account.
Illinois Federal Court Certifies Considerable Class in Data Company Privacy Suit
On April 2, the U.S. District Court for the Northern District of Illinois certified a class of individuals who downloaded and installed tracking software created and operated by a data company and distributed by one of the company’s third-party bundling partners. Harris v. comScore, Inc., No. 11-5807, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013). The plaintiffs claim the data company used the tracking software to collect information on consumers’ computers, including social security numbers and other personally identifiable information. The court estimated the software was installed on millions of computers between 2008 and 2011. The court refused to certify unjust enrichment claims due to variances in laws across states, but allowed claims of violations of the Stored Communications Act, the Electronic Communications Privacy Act, and the Computer Fraud and Abuse Act to move forward. Certification of such a large class is unusual for a privacy suit, but the company’s user license agreement and the downloading statement regarding the software provided a basis for shared injury not present in other cases.
House Passes Gramm-Leach-Bliley Privacy Disclosure Exemption
On March 12, the U.S. House of Representatives passed H.R. 749, a bill that would exempt from the Gramm-Leach-Bliley Act’s annual privacy policy notice requirements any financial institution that (i) provides nonpublic personal information only in accordance with specified requirements and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent disclosure. The bill is identical to one passed by the House last year, H.R. 5817, but which the Senate never addressed. H.R. 749 now awaits consideration by the Senate.
Massachusetts High Court Holds State Credit Card Law Intended to Protect against Invasion of Privacy, ZIP Codes Protected
On March 11, the Massachusetts Supreme Judicial Court held that a credit card holder may bring an action for violation of a state law prohibiting businesses from requiring personal identification information as part of a credit card transaction, even in the absence of identity fraud. Tyler v. Michaels Stores, Inc., No. SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013). The card holder moved the Massachusetts Supreme Judicial Court to certify three questions interpreting the statute after a case she brought against the retailer in federal court was dismissed. The U.S. District Court for the District of Massachusetts had held that a retailer’s collection of ZIP codes during a credit card transaction can constitute a violation of the credit card law, but that the card holder failed to allege actual harm. The Massachusetts Supreme Judicial Court agreed that a ZIP code amounts to personal information under the statute, and found that the law is “intended primarily” to protect card holders from invasion of privacy by merchants, not against credit card identity fraud. However, the court noted that the statute did not contain an express limitation barring card holders who were not the victim of fraud. On a third question, the court held that the term "credit card transaction form" refers equally to electronic and paper transaction forms.
FTC Issues Report on Mobile Payment Consumer Protections
On March 8, the FTC released a report on mobile payments by consumers. The report, based on a FTC workshop held in April 2012, focuses on financial, security, and privacy consumer protections. The FTC encourages companies to develop clear dispute resolution policies to address customer claims of fraudulent mobile payments or unauthorized charges. The report highlights “special concerns” with mobile carrier billings, in which mobile carriers place charges on phone bills on behalf of third-parties, based on the FTC’s concern that there are no federal statutory protections governing consumer disputes about fraudulent or unauthorized charges placed on mobile carrier bills. The FTC also encourages industry-wide adoption of strong security measures and suggests ways sensitive financial information can be kept secure during the mobile payment process, including end-to-end encryption. The report highlights the need for mobile payment companies to practice “privacy by design,” incorporating strong privacy practices, consumer choice, and transparency into their products from the outset. Finally, the report notes privacy issues arising from the consolidation of consumers’ personal information in the mobile payment process.
Ramirez Expected to Chair FTC
On February 28, the FTC announced that President Obama will designate Edith Ramirez as Chairman of the FTC, effective March 4, 2013. Ms. Ramirez became an FTC commissioner on April 5, 2010, and has focused on promoting competition and innovation in the technology and healthcare sectors, protecting vulnerable consumers from deceptive and unfair practices, and safeguarding consumer privacy. Prior to joining the FTC, Ms. Ramirez was a lawyer in private practice, and before that served as the Vice President on the Board of Commissioners for the Los Angeles Department of Water and Power.