Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out

    Privacy, Cyber Risk & Data Security

    On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.

    On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach Senate Judiciary Subcommittee Consumer Finance

    Share page with AddThis
  • SEC Chairman Releases Statement Discussing Internal Cybersecurity Assessment, Announces EDGAR Vulnerability May Have Led to Illicit Gain

    Privacy, Cyber Risk & Data Security

    On September 20, the SEC released a statement issued by Chairman Jay Clayton regarding the Commission’s approach to cybersecurity and its impact on market participants. Topics discussed in the statement, which is part of the SEC’s ongoing assessment of its cybersecurity risk profile, include:

    • the collection and use of data by the SEC;
    • the management of, and responses to, internal cybersecurity risks;
    •  the integration and incorporation of cybersecurity considerations into the SEC’s supervision of regulated entities;
    • coordinated efforts with other regulations to identify and mitigate risk; and
    • oversight and enforcement efforts related to cybersecurity activities.

    The Chairman also discussed the SEC’s discovery in August that a 2016 security incident involving a software vulnerability within the Commission’s EDGAR system “may have provided the basis for illicit gain through trading” by providing access to nonpublic information. However, the SEC also stated its belief that “the intrusion did not result in the unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” According to the SEC, the vulnerability was patched promptly after discovery, and the SEC commenced an internal investigation, which is ongoing.

    Chairman Clayton is scheduled to testify before the Senate Banking Committee on September 26 at a hearing titled, “Oversight of the U.S. Securities and Exchange Commission.”

    Privacy/Cyber Risk & Data Security SEC Senate Banking Committee EDGAR Data Breach

    Share page with AddThis
  • Legislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach

    Privacy, Cyber Risk & Data Security

    As previously reported in InfoBytes, a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative action. Senator Brian Schatz (D-Haw.) reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act to address these issues. In addition, two committees—the House Financial Services Committee and the House Energy and Commerce Committee—both announced plans to hold hearings on the breach (dates still to be released). Separately, Representative Ted Lieu (D-Cal.) sent a letter to the House Judiciary Committee requesting a hearing to investigate how and why the data breach occurred, and what measures can be taken to prevent future incidents.

    At least two class action lawsuits have been filed—in Georgia and Oregon—as a result of the breach, and several state attorneys general, including New York Attorney General Eric T. Schneiderman, have launched investigations into the matter. The CFPB also released a blog post for consumers on ways to identify signs of fraud or identity theft.

    Notably, on September 11, the agency issued an update for consumers announcing that “in response to consumer inquiries,” the arbitration clause and class action waiver included in its terms of use will not “apply to this cybersecurity incident.” The CFPB’s final arbitration rule, which prohibits the use of mandatory pre-disputer arbitration clauses, has been a point of considerable debate this summer, with the House voting to repeal the proposed rule and the Senate introducing a similar measure (see InfoBytes post here), while a coalition of state attorneys general have issued support for the proposed rule (see InfoBytes post here).

    Privacy/Cyber Risk & Data Security Data Breach Class Action State AG

    Share page with AddThis
  • Credit Reporting Agency Announces Widespread Consumer Data Breach

    Privacy, Cyber Risk & Data Security

    On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach

    Share page with AddThis
  • Data Breach Lawsuit Settled for $115 Million

    Privacy, Cyber Risk & Data Security

    On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been compromised. On June 23, Plaintiffs submitted to the court a memorandum in support of the settlement. The settlement, if approved by the court, will provide almost 80,000 proposed class members with extended credit monitoring for at least two years. Additionally, the settlement will require the insurer to “implement or maintain meaningful, specific changes to its data security practices that directly address the security elements that Plaintiffs believe contributed to the breach,” including hiring independent consultants to perform annual IT risk assessments and compliance reviews, and providing the results of those audits to Plaintiffs’ counsel.

    Privacy/Cyber Risk & Data Security Fintech Data Breach Consumer Finance

    Share page with AddThis
  • 15 State Attorneys General Clarify Data Breach Notification Laws

    Privacy, Cyber Risk & Data Security

    On June 5, 15 state attorneys general issued a joint letter to an e-commerce hosting company refuting the company’s assertion in its FAQ provided to online retailers that they are not obligated to notify customers of a data breach in situations where credit card CVV numbers were not disclosed. According to claims made by the attorneys general, the company erroneously stated that, pursuant to the identified states’ data breach notification laws, “there is no obligation to notify in those states . . . if your customers’ CVV data was not exposed.” The attorneys general argued that this is incorrect and stated, “[t]he CVV number does not have to be disclosed to trigger our states’ notification obligations.” The letter noted as an example, New York General Business Law § 899-aa(1)(b)(3), which stipulates that companies must provide notification of a data breach to affected customers when a credit or debit card number plus “any required security code, access code, or password” that would permit access to the account is obtained by an unauthorized party. The attorneys general stated that a CVV code is not a required access code because the card can be used without it. The company is required to provide clarification regarding its FAQ to affected client retailers.

    Privacy/Cyber Risk & Data Security State AG Data Breach Credit Cards Consumer Finance

    Share page with AddThis
  • New Mexico Enacts Data Breach Notification Act

    Privacy, Cyber Risk & Data Security

    On April 6, New Mexico Governor Susana Martinez signed into law the Data Breach Notification Act (H.B. 15), making New Mexico the 48th state to pass a data breach notification law. Under the new law—which is scheduled to take effect on June 16—companies are now required to notify any New Mexico residents (and in certain circumstances consumer reporting agencies and the state’s attorney general) following the discovery of a “security breach” involving that resident’s “personal identifying information.”  The Act—which unanimously cleared both New Mexico’s House and Senate—also establishes standards for the secure storage and disposal of data containing personal identifying information and provides for civil penalties for violations.

    According to the Act, “personal identifying information” consists of an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license number or government issued identification number; (iii) account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (iv) biometric data. As with many other states’ breach notice laws, the term “security breach” is defined as “the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” However, notice to affected residents is not required if the entity “determines that the security breach does not give rise to a significant risk of identity theft or fraud.” The Act also sets out the required contents of, and methods for providing, notification—which generally must be made no later than 45 days after the breach was discovered—including substitute methods if certain criteria are met. Certain entities, including those subject to GLBA or HIPAA, are exempt from the requirements of the Act.

    Notably, the Act does not provide its citizens with a private right of action, but rather charges the state’s attorney general with enforcing the Act through legal actions on behalf of affected individuals. The Act provides for the issuance of injunctive relief and/or damages for actual losses including consequential financial losses. For knowing or reckless violations of the Act, a Court also may impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.

    Privacy/Cyber Risk & Data Security State Issues Data Breach State AG

    Share page with AddThis