InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
G7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the reports “are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.”
The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing ransomware threats. The “non-prescriptive and non-binding” report is meant to guide public and private financial institutions for their own internal ransomware mitigation activities and “provide[s] an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7.”
The Fundamental Elements of Third-Party Risk Management for the Financial Sector updates a previous version published in 2018. According to the announcement, the updated report was necessary due to the increase in use of service providers by financial institutions in their central operational functions and subsequent vulnerabilities as a result of such reliance. The update includes explicit recommendations for monitoring risks along the supply chain and identifying systemically important third-party providers and concentration risks.
Parties reach agreement to resolve data scraping allegations
On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)
As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.
Social media platform awarded $365,000 in scraping suit
On December 8, the U.S. District Court for the Northern District of California enjoined a data trading company (defendant) from accessing a social media platform (plaintiff), and ordered it to pay $361,790 in attorney fees and $3,640 in court costs to the platform. According to the complaint, the defendant unlawfully scraped the profiles of over 90 million of the plaintiff’s users before selling the data. The complaint specifically alleged that the defendant sold “in-depth insights into the demographics and psychographics of influencers and their audiences.” The order enjoined the defendants from, among other things: (i) accessing or attempting to access the plaintiff’s platforms; (ii) developing, offering, and marketing software or computer code intended to automate the collection of data; and (iii) engaging in any activity that disrupts the plaintiff’s platforms.
OCC warns of crypto-asset and cybersecurity risks facing the federal banking system
On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”
The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”
The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.
The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”
The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.
Appellate court reverses BIPA decision
On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014. From the beginning of his employment, the plaintiff clocked into his job using a fingerprint, but the defendant did not have a written retention-and-destruction schedule for biometric data until 2018. The plaintiff was subsequently terminated and then filed suit claiming that the defendant violated BIPA by failing to establish a retention-and-destruction schedule for the possession of biometric information until four years after it first possessed the plaintiff’s biometric data. The trial court granted the defendant’s motion for summary judgment, finding that section 15(a) of BIPA established no time limits by which a private entity must establish a retention-and-destruction schedule for biometric data. The plaintiff appealed.
The appellate court reversed the trial court’s order, finding that Section 15(a) specified that a private entity “in possession of” biometric data must develop a written policy laying out its retention and destruction protocols, and the duty to develop a schedule is triggered by possession of the biometric data. The appellate court noted that its decision “is consistent with the statutory scheme, which imposes upon private entities the obligation to establish [BIPA]-compliant procedures to protect employees' and customers' biometric data.” The appellate court went on to note that it “can discern no rational reason for the legislature to have intended that a private entity ‘develop’ a ‘retention schedule and guidelines for permanently destroying’ (id. § 15(a)) biometric data at a different time from that specified in the notice requirement in section 15(b), which itself must inform the subject of the length of time for which the data will be stored (i.e., retained), etc.” The appellate court concluded “that the duty to develop a schedule upon possession of the data necessarily means that the schedule must exist on that date, not afterwards,” and stressed that this is “the only reasonable interpretation” in light of BIPA's “preventive and deterrent purposes.”
Furthermore, the appellate court rejected the defendant’s argument that “the statutory duty is satisfied so long as a schedule exists on the day that the biometric data possessed by a defendant is no longer needed or the parties’ relationship has ended," stating that the statutory language “belies this interpretation.”
9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”
Republicans say social media company made misleading statements on China data-sharing practices
On November 22, Ranking Member James Comer (R-KY), Committee on Oversight and Reform, and Ranking Member Cathy McMorris Rodgers (R-WA), Committee on Energy and Commerce, sent a follow-up letter to a global social media company claiming it may have provided misleading or false information about its data sharing and privacy practices related to China. According to the lawmakers, the company claimed in a briefing to the committee that it does not track users’ internet data if they are not using the app, and that China-based employees cannot access U.S. users’ location-specific data—both of which appear to be “misleading at best, and at worst, false.” The lawmakers referenced reports alleging the company “clandestinely” gathers U.S. users’ sensitive internet history, and expressed concerns about statements made by employees responsible for company data that “‘it is impossible to keep data that should not be stored in [China] from being retained in [China]-based servers.’” Claiming the company has withheld information, the lawmakers are seeking additional information, including documents and communications related to the monitoring of U.S. users’ browsing data and location tracking.
Hair clinic must pay $500,000 to resolve data breach
On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.
Irish DPC fines global social media company €265 million over data scraping claims
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.
EU increases financial sector cybersecurity
On November 28, the Council of the European Union (EU) announced that it adopted legislation for a new cybersecurity directive intended to improve resilience and incident response capacities across the EU by replacing the NIS, the current directive on the security of network and information systems. According to the announcement, the new directive, called NIS2, is intended “to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states.” Among other things, the directive establishes minimum rules for a regulatory framework and mechanisms for effective cooperation among relevant authorities in each member state, according to the EU. Additionally, the directive updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.