Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • President Trump Releases 2018 Budget Proposal; Key Areas of Reform Target Financial Regulators, Cybersecurity, and Student Loans

    Federal Issues

    On May 23, the White House released its fiscal 2018 budget request, A New Foundation for American Greatness, along with Major Savings and Reforms, which set forth the President’s funding proposals and priorities. The mission of the President’s budget is to bring spending under control by proposing savings of $57.3 billion in discretionary programs, including $26.7 billion in program eliminations and $30.6 billion in reductions.

    Financial Regulators. The budget stresses the importance of reducing the cost of complying with “burdensome financial regulations” adopted by independent agencies under the Dodd-Frank Act. However, the proposal provides few details about how the reform applies to federal financial services regulators. Identifying the CFPB specifically, the budget states that restructuring the Bureau is necessary in order to “ensure appropriate congressional oversight and to refocus [the] CFPB’s efforts on enforcing the law rather than impeding free commerce.” Major Savings and Reforms assert that subjecting the Bureau to the congressional appropriations process would “impose financial discipline and prevent future overreach of the Agency into consumer advocacy and activism.” The budget projects further savings of $35 billion through the end of 2027, resulting from legal, regulatory, and policy changes to be recommended by the Treasury once it completes its effectiveness review of existing laws and regulations in collaboration with the Financial Stability Oversight Council. The Treasury review is being performed as a result of the Executive Order on Core Principals.

    Dept. of Housing and Urban Development. As previously reported in InfoBytes, the budget proposes that funding be eliminated for the following: (i) small grant programs such as the Self-Help Homeownership Opportunity Program, which includes, among others, the Capacity Building for Community Development and Affordable Housing Program (a savings of $56 million); (ii) the CHOICE Neighborhoods program (a savings of $125 million), stating state and local governments should fund strategies for neighborhood revitalization; (iii) the Community Development Block Grant (a savings of $2.9 billion), over claims that it “has not demonstrated results”; and (iv) the HOME Investment Partnerships Programs (a savings of $948 million). The budget also proposes reductions to the Native American Housing Block Grant and plans to reduce costs across HUD’s rental assistance programs through legislative reforms. Rental assistance programs generally comprise about 80 percent of HUD’s total funding.

    Cybersecurity. The budget states that it “supports the President’s focus on cybersecurity to ensure strong programs and technology to defend the Federal networks that serve the American people, and continues efforts to share information, standards, and best practices with critical infrastructure and American businesses to keep them secure.” Law enforcement and cybersecurity personnel across the Department of Homeland Security (DHS), Department of Defense, and the FBI will see budget increases to execute efforts to counter cybercrime. Furthermore, the National Cybersecurity and Communications Integration Center—which DHS uses to respond to infrastructure cyberattacks—will receive an increase under the budget.

    Student Loan Reform. Under the proposed budget, a single income driven repayment plan (IDR) would be created that caps monthly payments at 12.5 percent of discretionary income—an increase from the 10 percent cap some current payment plans offer. Furthermore, balances would be forgiven after a specific number of repayment years—15 for undergraduate debt, 30 for graduate. In doing so, the Public Service Loan Forgiveness program and subsidized loans will be eliminated, and reforms will be established to “guarantee that borrowers in IDR pay an equitable share of their income.” These proposals will only apply to loans originated on or after July 1, 2018, with the exception of loans provided to borrowers in order to finish their “current course of study.”

    Dept. of the Treasury. The budget proposes to, among other things: (i) eliminate funding for new Community Development Financial Institutions Fund grants (a savings of $220 million); and (ii) reduce funding for the Troubled Asset Relief Program by 50 percent, “commensurate with the wind-down of TARP programs” (a savings of $21 million).

    Response from Treasury. In a statement released by the Treasury, Secretary Steven T. Mnuchin said the budget “prioritizes investments in cybersecurity, and maintains critical funding to implement sanctions, combat terrorist financing, and protect financial institutions from threats.” Furthermore, it also would “achieve savings through reforms that prevent taxpayer bailouts and reverse burdensome regulations that have been harmful to small businesses and American workers.”

    Federal Issues Treasury Department POTUS HUD budget Privacy/Cyber Risk & Data Security Student Lending Bank Regulatory FSOC

    Share page with AddThis
  • Acting FTC Chairman Ohlhausen Welcomes New FCC Approach to Internet Openness

    Privacy, Cyber Risk & Data Security

    On May 18, Acting FTC Chairman Maureen Ohlhausen issued a statement on the FCC’s publication of a Notice of Proposed Rulemaking (NPRM) to “reinstate a light-touch regulatory approach protecting Internet openness.” The Notice proposes the following actions: (i) returning to the framework under Title I of the Communications Act instead of following Title II regulatory guidance; (ii) classifying mobile broadband Internet access service as “private mobile service”; and (iii) eliminating Title II’s “vague and expansive” Internet conduct standard, thus eliminating regulatory uncertainty. “I welcome the adoption of this NPRM as further progress toward restoring the FTC’s ability to protect broadband subscribers from unfair and deceptive practices, including violations of their privacy. Those consumer protections were an unfortunate casualty of the FCC’s 2015 decision to subject broadband to utility-style regulation. This new proceeding offers an opportunity to undo that decision and thereby return broadband consumers to the expert protection of the FTC,” stated Chairman Ohlhausen.

    Privacy/Cyber Risk & Data Security FTC FCC

    Share page with AddThis
  • House Passes Cyber Crime Bill

    Privacy, Cyber Risk & Data Security

    On May 16, the U.S. House of Representatives officially approved the Strengthening State and Local Cyber Crime Fighting Act of 2017 (H.R. 1616) in a vote of 408-3. The Act would amend the Homeland Security Act of 2012 to formalize the Secret Service’s National Computer Forensic Institute’s (NCFI) responsibilities for coordinating investigations into cyberattacks and hacks and would provide training and tools for state and local agencies dealing with electronic crime related threats. In an April press release issued by the bill’s sponsor, Rep. John Ratcliffe (R-Tex.), Chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, stated, “The [NCFI] has played a major role in equipping state and local law enforcement officers across the country with the tools they need to address the extra layers of complexity presented by the growing incidences of cybercrime,” Notably, the legislation, which now heads to the Senate, follows the recent international cyberattack that infected computer systems globally with the WannaCry ransomware (see previous InfoBytes coverage here).

    Privacy/Cyber Risk & Data Security U.S. House

    Share page with AddThis
  • Ransomware Attack Has Global Impact, Bipartisan Legislation Introduced to Counter Hacking

    Privacy, Cyber Risk & Data Security

    On May 12, a cyberattack spread around the world, affecting more than 230,000 computers in roughly 150 countries, according to a statement issued by the American Bankers Association. The ransomware, known as “WannaCry,” was used to exploit a vulnerability that affects computers running Microsoft Windows (see Department of Homeland Security Alert). Users of infected computers received a message that their files had been encrypted and that they must pay a ransom in bitcoin in order to decrypt their files. However, as conveyed in a press release issued by the Financial Services - Information Sharing and Analysis Center (FS-ISAC), it appears that the majority of the attacks seem to be targeting and impacting non-financial sector entities globally. FS-ISAC “believes the current attacks utilize known vulnerabilities for which there are available software patches,” but that firms and service providers need to implement the patches. Agencies continue to monitor what may be the first in a series of attacks.

    SEC Office of Compliance and Examinations (OCIE) and FBI Issue Responses. The OCIE released a statement cautioning registrants to be vigilant in mitigating risk, and noted a recent OCIE study that determined a substantial number of registrants did not conduct periodic risk assessments, penetration tests, or vulnerability scans, while a smaller number had not updated critical security patches. The OCIE also provided links to guidance on cybersecurity risk management. Likewise, the FBI issued a bulletin providing guidance on additional protection measures following the attack.

    Bipartisan Legislation Introduced. On May 17, bipartisan legislation was introduced in the House and Senate to add transparency and accountability to the federal government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems. The bill, Protecting our Ability To Counter Hacking (PATCH) Act, follows the apparently leaked NSA hacking tool which opened the door to the global “WannaCry” ransomware attack. It is sponsored by Senators Brian Schatz (D-Haw.),  Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.), and Representatives Ted Lieu (D-Cal.) and Blake Farenthold (R-Tex.). As described in a release issued by Sen. Schatz’s office, the proposed legislation would make the Vulnerabilities Equities Process (VEP) more permanent, while altering its structure. It would also make the Department of Homeland Security the chair of the interagency board overseeing the VEP. Under the bill, the NSA and other security agencies would still be a permanent part of the board, while other agencies and the White House's National Security Council could attend meetings if the board deems it necessary. The established board would also produce a report for Congress on the policies it establishes regarding the disclosure of vulnerabilities no later than 180 days after the enactment of the Act. An unclassified version of the report will be publically available as well. “Striking the balance between U.S. national security and general cybersecurity is critical, but it's not easy,” Sen. Schatz noted. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

    Coalition for Cybersecurity Policy and Law. The legislation has already received support. The Coalition issued the following statement in support of the proposed bill: “We support the goals of the PATCH Act and we look forward to working with Chairman Johnson, Senators Schatz and Gardner, and Reps. Lieu and Farenthold as it moves forward in both chambers. The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery.”

    Privacy/Cyber Risk & Data Security ABA SEC Congress

    Share page with AddThis
  • FTC, Federal, State, and International Partners Announce Crackdown on Tech Support Scams

    Privacy, Cyber Risk & Data Security

    On May 12, the FTC, along with federal, state and international law enforcement partners, announced new enforcement actions in its “Operation Tech Trap” program. The program is designed to crack down on tech support scams that, among other things, deceive consumers into believing their computers are infected with viruses and malware and then charge them for unnecessary repairs. According to FTC, its Operation Tech Trap partners have brought 29 law enforcement actions against deceptive tech support operations in the last year. Among the four new complaints announced on May 12, the FTC has already been granted temporary restraining orders in three of the cases to stop the tech support companies’ deceptive practices, freeze their assets, and appoint a temporary receiver to take control of them.

    The FTC also announced a settlement in a pending action brought by the FTC and the Attorneys General of Connecticut and Pennsylvania against two defendants who allegedly participated in deceptive acts and practices in connection with the advertising, marketing, and sale of computer security or technical support products and services. Under the terms of the settlement, the defendants are subject to a money judgment in excess of $27 million. The stipulated final order has been entered by the U.S. District Court for the Eastern District of Pennsylvania. In addition to the FTC and state cases, DOJ brought federal criminal charges against seven individuals, two of whom have entered guilty pleas, for their participation in an international “Tech Support Scam.” Moreover, with respect to its international efforts, Operation Tech Trap is working with authorities in India to crack down on tech support scammers, and have also instituted consumer and business education outreach initiatives with Australia and Canada.

    Privacy/Cyber Risk & Data Security FTC Enforcement State AG DOJ

    Share page with AddThis
  • FTC Launches New Website for Small Businesses, Provides Resources to Avoid Scams and Cyberattacks

    Privacy, Cyber Risk & Data Security

    On May 9, the FTC announced the launch of its new website——designed to provide useful information so small businesses can protect their networks and customer data from scams and cyberattacks. The website offers specific guidance such as the Small Business Computer Security Basics guide, which shares computer security basics to help companies: (i) protect their files and devices; (ii) train employees to think twice before sharing the business’s account information; (iii) keep their wireless networks protected; and (iv) respond to data breaches. Information on other cyber threats such as ransomware and phishing schemes that target small businesses is also provided. According to the FTC, the U.S. Small Business Administration reports that “there are more than 28 million small businesses nationwide” that are at risk, many of which lack the resources larger companies have to spend on cybersecurity. Further, the FTC noted that Symantec Corp. found that “the percentage of spear-phishing attacks targeting small business rose dramatically from 18 percent to 43 percent between 2011 and 2015.”

    Privacy/Cyber Risk & Data Security FTC Consumer Education

    Share page with AddThis
  • Legislation Proposed to Require Study on Homeowners’ Privacy of Collected HMDA Information

    Federal Issues

    On April 27, Reps. Randy Hultgren (R-Ill.) and Andy Barr (R-Ky.) reintroduced legislation to “protect against the misuse of consumers’ sensitive financial information” collected under the Home Mortgage Disclosure Act (HMDA). According to a May 5 press release issued by Rep. Hultgren’s office, the Homeowner Information Privacy Protection Act (H.R. 2204) would require the Comptroller General of the United States to conduct a study to determine whether the data required to be published, made available, or disclosed under HMDA could result in: (i) exposing the mortgagor’s or applicant’s identity; (ii) exposing the mortgagor or applicant to identity theft or loss of personal, sensitive information; (iii) marketing or selling unfair, deceptive, or abusive financial products based on such information; (iv) personal financial loss or emotional distress resulting from the exposure to identify theft or the loss of sensitive personal financial information; and (v) “the potential legal liability facing the Bureau and market participants in the event the data required to be published, made available, or disclosed under the final rule leads or contributes to identity theft or the capture of sensitive personal financial information.” The bill further provides that the Comptroller will submit reports detailing the findings and conclusions as well as any recommendations for legislative and regulatory actions to the Committee on Financial Services of the House of Representatives and the Committee on Banking, Housing, and Urban Affairs of the Senate. In addition, the bill proposes to delay the effective date of the new reporting requirements set forth in the 2015 HMDA rule to January 1, 2019.

    As previously covered in InfoBytes Special Alerts (see here and here), the CFPB has proposed amendments to the 2015 HMDA rule, which clarifies the collection and reporting requirements for several data points, among other things.

    Federal Issues Congress HMDA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • President Issues Executive Order Directing Agencies to Focus on Cybersecurity

    Federal Issues

    On May 11, the Trump Administration issued an Executive Order, directing federal agencies to increase their efforts to mitigate cyber risks. The order, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” mandates that agencies follow the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk. Among other things, the EO tasks agency heads with submitting a risk management report to the Department of Homeland Security and the OMB within 90 days. In addition, the order also directs defense agencies, the office of the Attorney General and the FBI, to provide the White House with recommendations on how to improve cybersecurity standards among critical infrastructure industries. Notably, the EO includes the financial services industry in its list of critical infrastructure industries. The report is due in 180 days.

    Federal Issues Privacy/Cyber Risk & Data Security Trump Executive Order

    Share page with AddThis
  • Second Circuit Holds Purported Class Action Plaintiff Failed to Establish Article III Standing in Data Breach Case


    In a summary order handed down May 2, the Second Circuit Court of Appeals held that a plaintiff in a purported class action lacked Article III standing to bring claims against a retailer for breach of an implied contract and for violation of New York General Business Law § 349 arising out of a data breach of the retailer’s systems. See Whalen v. Michaels Stores, Inc., __ Fed. App’x __, Nos. 16-260, 16-352 (2d Cir. May 2, 2017). The consumer-plaintiff had made purchases with her credit card at one of the defendant’s stores, and following the data breach, her credit card was physically presented to pay for two unauthorized charges in Ecuador. The fraudulent charges occurred on consecutive days, with the plaintiff canceling her card on the same day as the second charge. The defendant offered 12 months’ credit monitoring and there was no indication that personally identifying information such as plaintiff’s date of birth or social security number was stolen. Plaintiff argued that she was injured by: (i) the theft of her credit card information and the two fraudulent-purchase attempts, (ii) the risk of future identity fraud, and (iii) the time and money she spent resolving the attempted fraudulent charges and monitoring her credit.

    Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the court concluded that plaintiff did not allege a concrete and particularized injury sufficient to confer Article III standing. As to plaintiff’s first argument, the Court reasoned that she was never “asked to pay, nor did pay, any fraudulent charge.” As to the second argument, the Court stated that there was no threat of future fraud because the plaintiff’s stolen credit card was “promptly canceled,” and “no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” The third argument was likewise inadequate because the plaintiff “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”

    The court also noted that these shortcomings distinguished the plaintiff from plaintiffs in other data breach cases held to have adequately established Article III standing. See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x 384 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015).

    Courts Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FBI Issues PSA on Social Engineering Scams

    Privacy, Cyber Risk & Data Security

    On May 4, the FBI’s Internet Crime Complaint Center released a public service announcement (I-050417-PSA) citing losses to U.S. businesses of nearly $1.6 billion due to social engineering wire transfer and other payment scams between October 2013 and December 2016, with approximately one fifth of the losses coming in the last seven months of 2016. The FBI defines the crime as Business E-mail Compromise (BEC), a sophisticated scam targeting businesses that regularly perform wire transfer payments and/or work with foreign suppliers, and often specifically involves E-mail Account Compromise (EAC) of individuals that perform wire transfer payments. Victims range from small businesses to large corporations and deal in a wide variety of goods and services. According to the FBI, the five main BEC/EAC scam scenarios are: (i) a business working with a longstanding or trusted foreign supplier, where a perpetrator may impersonate the supplier and seek a change in payment instructions by e-mail, phone or fax; (ii) a high-level business executive whose e-mail account is compromised receiving or initiating a request for a wire transfer; (iii) a third party business contact receiving fraudulent correspondence, such as requests for invoice payment, through a compromised email account; (iv) impersonation of a business executive or attorney; and (v) data theft. The FBI also cites 2016 trends including a 480 percent increase in complaints filed by title companies targeted by scammers as part of a real estate transaction, a 50 percent increase in complaints filed by businesses working with dedicated foreign suppliers, , and a large increase in W-2 and PII phishing occurring during the 2016 tax season.

    Privacy/Cyber Risk & Data Security FBI

    Share page with AddThis