Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large credit reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.
According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.
On December 13, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss a data breach suit brought by the City of Chicago. According to the city’s complaint, the company violated the Illinois Consumer Fraud and Deceptive Business Practices Act by, among other things, allegedly failing to (i) “protect Chicago residents’ personal information”; (ii) implement and maintain reasonable security measures; (iii) disclose that it did not maintain reasonable security measures; and (iv) provide “prompt notice” of the breach to Chicago residents. According to the opinion, the city had established standing to sue the company because it adequately alleged injury to its municipal interests. Additionally, the court rejected the company’s assertion that the suit is unconstitutional under the Illinois Constitution, stating that the consumer protection ordinance the company was alleged to have violated “addresses a local problem, making it a legitimate exercise of the City’s home rule authority” under the state’s constitution. The company had released a statement in November 2018, which is at the center of the city’s action, stating that the breach was discovered in September 2018, had exposed personal information from 500 million guests, and been ongoing since 2014.
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.
On September 18, the U.S. District Court for the Northern District of California dismissed with prejudice a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. The court stated that the plaintiffs plausibly alleged the defendants’ November 2017 announcement about the data breach was misleading because it “disclosed only a security vulnerability, rather than an actual security breach that potentially compromised” 1.6 million customers, which the plaintiffs contended was not actually disclosed until a month later when a follow-up statement was released. However, the court argued that the plaintiffs failed to show under the loss-causation theory that the defendants knew the breach affected 1.6 million customers when the company made its first statement, and contended that confidential witness statements provided by the plaintiffs from three former employees did not credibly support allegations that the defendants and its executives knew the full extent of the breach when they warned of potential vulnerabilities or “used that knowledge (or recklessly disregarded it) to deceive the market.” Furthermore, the court determined that while both parties agreed that a plaintiff can support a securities fraud claim with expert opinions, the plaintiffs in this case failed to allege that the cybersecurity expert they hired was familiar with, or had knowledge of, the defendants’ specific security setup or that he actually talked to the defendants’ employees about the breach. According to the court, the expert provided an opinion on “what likely would have happened in the event of any breach.”
On September 12, the CFTC issued an order against an Illinois-based futures commission merchant imposing a $1.5 million fine for allegedly failing to protect its systems from cybersecurity threats and not alerting its customers in a reasonable timeframe after a breach occurred. According to the order, the CFTC claims the merchant failed to adequately implement and comply with cybersecurity policies and procedures as well as a written information systems security program, and “policies and procedures related to customer disbursements by its employees.” The CFTC contends that because of these failures the merchant’s email system was breached, which allowed access to customer information and convinced the merchant’s customer service specialist to mistakenly wire $1 million in customer funds. While the merchant approved reimbursement of the funds shortly after discovery, instituted measures to prevent additional fraudulent transfers, and notified regulators the same day, the CFTC alleges it failed to disclosure the breach or the fraudulent wire in a timely manner to current or prospective customers. Under the terms of the order, the merchant must pay a civil money penalty of $500,000 plus post-judgment interest, as well as restitution of $1 million. The merchant’s previous reimbursement of customer funds when the fraud was discovered was credited against the restitution amount.
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based storage systems for the financial industry as systemically important financial market utilities. The letter is in response to the recent data breach announcement by a national bank (covered by InfoBytes here), where an alleged former employee of the bank’s cloud-based storage system gained unauthorized access to the personal information of credit card customers and people who had applied for credit card products. According to the Congresswomen, 57 percent of the cloud services market is “cornered by” three main providers, and “a lack of substitutability for the services provided by these very few firms creates systemic risk.” The letter argues that cloud services are not currently subject to an enforced regulatory regime and, “[w]ithout a dedicated regulatory regime proportional and tailored to their very unique structure and risks, cloud comparing companies will continue to evade supervision.”
On August 9, the Illinois governor signed SB 1624, which requires that a single data breach involving the personal information of more than 500 Illinois residents must be reported to the state attorney general. The notice must include: (i) a description of the nature of the breach of security or unauthorized acquisition or use; (ii) the number of Illinois residents affected by such incident at the time of notification; and (iii) any steps the data collector has taken or plans to take relating to the incident. Notification is required to be made “in the most expedient time possible and without unreasonable delay,” but no later than when the data collector informs consumers of the breach under current law. The bill is effective January 1, 2020.
- Jonice Gray Tucker to discuss "Trends in regulatory enforcement" at the ABA Banking Law Committee Meeting
- Jonice Gray Tucker to discuss "Fair access to credit in today’s innovative environment" at the ABA Banking Law Committee Meeting
- Andrew W. Schilling to moderate "Expectations of in-house counsel from their law firm partners" at the ACI's 7th Annual Advanced Forum on False Claims and Qui Tam
- Buckley Webcast: Tips for navigating changes to the FHA recertification process
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference
- Kari K. Hall and Michelle L. Rogers to discuss "Overdrafts and regulatory trends" at the CLE Alabama Banking Law Update
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the 17th Puerto Rican Symposium of Anti Money Laundering 2020 conference
- APPROVED Checkpoint Webcast: CFL overview
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference