Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • SEC Chairman Releases Statement Discussing Internal Cybersecurity Assessment, Announces EDGAR Vulnerability May Have Led to Illicit Gain

    Privacy, Cyber Risk & Data Security

    On September 20, the SEC released a statement issued by Chairman Jay Clayton regarding the Commission’s approach to cybersecurity and its impact on market participants. Topics discussed in the statement, which is part of the SEC’s ongoing assessment of its cybersecurity risk profile, include:

    • the collection and use of data by the SEC;
    • the management of, and responses to, internal cybersecurity risks;
    •  the integration and incorporation of cybersecurity considerations into the SEC’s supervision of regulated entities;
    • coordinated efforts with other regulations to identify and mitigate risk; and
    • oversight and enforcement efforts related to cybersecurity activities.

    The Chairman also discussed the SEC’s discovery in August that a 2016 security incident involving a software vulnerability within the Commission’s EDGAR system “may have provided the basis for illicit gain through trading” by providing access to nonpublic information. However, the SEC also stated its belief that “the intrusion did not result in the unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” According to the SEC, the vulnerability was patched promptly after discovery, and the SEC commenced an internal investigation, which is ongoing.

    Chairman Clayton is scheduled to testify before the Senate Banking Committee on September 26 at a hearing titled, “Oversight of the U.S. Securities and Exchange Commission.”

    Privacy/Cyber Risk & Data Security SEC Senate Banking Committee EDGAR Data Breach

    Share page with AddThis
  • Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled

    Privacy, Cyber Risk & Data Security

    The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.

    Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair and deceptive acts and practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.

    NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo released a notice directing the New York Department of Financial Services (NYDFS) to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.

    State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency State AG NYDFS Enforcement

    Share page with AddThis
  • OFAC Imposes Additional Iranian Sanctions, List Includes Entities Involved in DDoS Attacks Against U.S. Financial Institutions

    Financial Crimes

    On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced it was imposing sanctions on 11 entities and individuals for supporting designated Iranian actors or for conducting malicious cyberattacks, including engaging in a series of distributed denial of service (DDoS) attacks against approximately 46 U.S. financial institutions. As reported in an indictment delivered by a federal grand jury in the Southern District of New York (see March 24, 2016 DOJ press release), the DDoS attacks—allegedly conducted by seven Iranian individuals between December 2011 and mid-2013—denied customers access to online bank accounts and collectively cost the affected financial institutions “tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their [computer] servers.” During a DDoS attack, a “malicious actor” gains remote control of a server through the installation of malicious software. Once compromised, the “malicious actor” can collect hundreds or thousands of these compromised devices (collectively known as a “botnet”), and, once control is achieved, will “direct the computers or servers comprising the botnet to carry out computer network attack[s] and computer network exploitation activity.” Three of the seven sanctioned individuals worked for a company that was added to OFAC’s updated SDN list on September 14 and oversaw a network of compromised computers that powered DDoS attacks. The other four individuals operated a second DDoS botnet on behalf of a different company listed on OFAC’s non-SDN list. Both Iranian-based private computer security companies perform work on behalf of the Iranian Government, including Iran’s Islamic Revolutionary Guard Corps. Pursuant to E.O. 13694, U.S. persons are prohibited from dealing with the designated entities and individuals, and “foreign financial institutions that facilitate significant transactions for, or persons that provide material or certain other support to, the entities and individuals designated today risk exposure to sanctions that could sever their access to the U.S. financial system or block their property and interests in property under U.S. jurisdiction.”

    In addition, pursuant to E.O. 13382, OFAC sanctioned an Iranian-based engineering company for engaging in activities related to Iran’s ballistic missile program, which include providing “ financial, material, technological, or other support for, or goods or services in support of, the [Islamic Revolutionary Guard Corps].” Two Ukrainian-based companies were also sanctioned pursuant to E.O. 13224 for assisting previously sanctioned Iranian and Iraqi airlines in obtaining U.S.-origin aircraft, as well as crew and services.

    Financial Crimes Sanctions Treasury Department OFAC DOJ Indictment Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Senate Banking Committee’s Fintech Hearing Discusses Regulatory Challenges and Innovation Risks

    FinTech

    On September 12, the full Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Examining the Fintech Landscape” to discuss topics concerning fintech innovation and the regulatory landscape. Committee Chairman Mike Crapo (R-Idaho) opened the hearing by asserting that while fintech firms provide “new and innovative products and services in areas such as marketplace lending, digital payments and currencies, wealth management, insurance and more . . . [u]ncertainty remains around questions like data security and the proper regulatory treatment to ensure consumers and the financial system are safeguarded.” Sen. Crapo said that he welcomes the opportunity to learn more about fintech innovations, the impact on the financial system, and the current regulatory approach to this sector.

    Sen. Sherrod Brown (D-Ohio), ranking member of the Committee, also released an opening statement in which he called for the need to “improve federal oversight of data collection and data security,” especially in light of the recent credit reporting data breach. (See previous InfoBytes summary here.) Sen. Brown noted that he is interested in understanding “how Congress can encourage fintech innovation to make it easier for community banks to serve their customers, comply with important safety and soundness and anti-money laundering rules.”

    The three witnesses offered numerous insights related to the fintech industry, including (i) the need to manage risk without stifling fintech innovation; (ii) the importance of creating consistent standards and a regulatory framework; (iii) the need to clearly outline the definition of fintech firms and digital lenders; (iv) challenges when using algorithms and alternative data to assess creditworthiness; and (v) concerns regarding state preemption in the fintech space. The witnesses also answered questions concerning the concept of utilizing a regulatory sandbox to allow fintech firms to operate on a limited basis to test new ideas, and offered support for an innovation office, which would help fintech firms and regulators understand the emerging landscape.

    • Mr. Lawrance Evans, Director, Financial Markets, U.S. Government Accountability Office (testimony);
    • Mr. Eric Turner, Research Analysis, S&P Global Market Intelligence (testimony); and
    • Mr. Frank Pasquale, Professor of Law, University of Maryland Francis King Carey School of Law (testimony).

    Fintech Federal Issues Senate Banking Committee Privacy/Cyber Risk & Data Security Data Collection / Aggregation

    Share page with AddThis
  • FTC Announces First EU-U.S. Privacy Shield Enforcement Actions Over False Certification Claims

    Privacy, Cyber Risk & Data Security

    On September 8, the FTC announced settlements with three companies over allegations that they falsely claimed certification to take part in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. These settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions. In July 2016, the EU finalized and adopted the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations. (See previous InfoBytes summary here.) In separate complaints, the FTC alleges that a human resources software company, a printing services company, and a company that manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield without having completed the certification process. According to the terms of the settlements as summarized in the FTC press release, the companies are all banned from “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.”

    Privacy/Cyber Risk & Data Security Enforcement FTC Settlement

    Share page with AddThis
  • Legislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach

    Privacy, Cyber Risk & Data Security

    As previously reported in InfoBytes, a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative action. Senator Brian Schatz (D-Haw.) reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act to address these issues. In addition, two committees—the House Financial Services Committee and the House Energy and Commerce Committee—both announced plans to hold hearings on the breach (dates still to be released). Separately, Representative Ted Lieu (D-Cal.) sent a letter to the House Judiciary Committee requesting a hearing to investigate how and why the data breach occurred, and what measures can be taken to prevent future incidents.

    At least two class action lawsuits have been filed—in Georgia and Oregon—as a result of the breach, and several state attorneys general, including New York Attorney General Eric T. Schneiderman, have launched investigations into the matter. The CFPB also released a blog post for consumers on ways to identify signs of fraud or identity theft.

    Notably, on September 11, the agency issued an update for consumers announcing that “in response to consumer inquiries,” the arbitration clause and class action waiver included in its terms of use will not “apply to this cybersecurity incident.” The CFPB’s final arbitration rule, which prohibits the use of mandatory pre-disputer arbitration clauses, has been a point of considerable debate this summer, with the House voting to repeal the proposed rule and the Senate introducing a similar measure (see InfoBytes post here), while a coalition of state attorneys general have issued support for the proposed rule (see InfoBytes post here).

    Privacy/Cyber Risk & Data Security Data Breach Class Action State AG

    Share page with AddThis
  • Credit Reporting Agency Announces Widespread Consumer Data Breach

    Privacy, Cyber Risk & Data Security

    On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach

    Share page with AddThis
  • Delaware Governor Enacts Amendments to Computer Security Code

    State Issues

    On August 17, Delaware Governor John Carney signed into law amendments (House Substitute No. 1) to the state’s code regarding computer security breaches involving personal information. Among other changes, the amendments include the following: (i) any person who conducts business in Delaware and maintains personal information must implement and maintain safeguard procedures to protect personal information; (ii) the definition of a “breach of security”—defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information”—eliminates “good faith acquisition” breaches where information is not used for unauthorized purposes, as well as instances where breached data is encrypted or protected by an unavailable encryption key; (iii) adds to the definition of “personal information” items such as passport numbers, email addresses and passwords, medical history information, health insurance and tax identification numbers, and biometric data; (iv) strengthens consumer protections, including requirements that notices to consumers must be sent no later than 60 days after it has been determined that a breach has occurred, a notification must be sent to the state Attorney General for breaches affecting more than 500 residents, and free credit monitoring services must be provided to residents involved in the breach of a social security number. The amendments become effective on April 14, 2018.

    State Issues State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security

    Privacy, Cyber Risk & Data Security

    On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”

    According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.

    The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.

    Privacy/Cyber Risk & Data Security State AG Enforcement Settlement FTC Act

    Share page with AddThis
  • NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28

    State Issues

    On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.

    State Issues Privacy/Cyber Risk & Data Security NYDFS Compliance Bank Regulatory

    Share page with AddThis

Pages