Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • FTC to Host Small Business Roundtables Focusing on Cybersecurity

    Privacy, Cyber Risk & Data Security

    On July 20, the FTC announced it will host a series of public roundtables to discuss pressing challenges facing small businesses when protecting the security of their computers and networks. The feedback will be used to assist the FTC and its partners in creating additional cybersecurity education resources. The Engage, Connect, and Protect Initiative: Small Business and Data Security Roundtables are part of Acting FTC Chairman Maureen K. Ohlhausen’s initiative to help small businesses protect against cyberattacks. Earlier this year, Ohlhausen launched a website designed to provide guidance for small businesses on scams and cyberattacks, many of which lack the resources larger companies have to spend on cybersecurity. (See previous InfoBytes post here.)

    The first roundtable will be on July 25 in Portland, Oregon, in partnership with the National Cyber Security Alliance (NCSA), the SBA, and other organizations. On September 6, a second roundtable discussion will convene in Cleveland in collaboration with the SBA and the Council of Smaller Enterprises. The third roundtable in the series, sponsored by the NCSA, will occur later in September in Des Moines, Iowa.

    Privacy/Cyber Risk & Data Security Agency Rule-Making & Guidance FTC Small Business

    Share page with AddThis
  • FTC Staff Supports FCC’s Proposal to Reverse Broadband Enforcement Authority

    Privacy, Cyber Risk & Data Security

    On July 17, FTC staff submitted its comments to the FCC in response to the FCC’s Notice of Proposed Rulemaking on Restoring Internet Freedom (NPRM), in favor of returning broadband enforcement authority to FTC. (See previous InfoBytes coverage here.) The NPRM would reverse a 2015 FCC decision, which changed the classification of broadband internet access service from an “information service to a common carrier service,” and resulted in a loss to the FTC’s authority. Currently, the FTC cannot regulate common carrier activities. FTC staff argued that with the exception of broadband providers, FTC jurisdiction covers virtually all other internet entities. Having one agency with enforcement authority over all internet entities would allow for “consistent standards and consistent application of those standards.” The result, the staff encouraged, would be the creation of a “level playing field for all companies operating in the Internet ecosystem.”

    Acting FTC Chairman Maureen K. Ohlhausen endorsed the staff comments and offered support for the NPRM to reverse the 2015 Title II classification of broadband internet access service as a way to “restore the FTC’s ability to protect broadband consumers under its general consumer protection and competition authority.” However, FTC Commissioner Terrell McSweeny dissented, stating that “[u]nless Congress repeals the common carrier exemption in the FTC Act, the FTC could continue to face challenges to its authority over common carriers.” Consequently, “[r]epealing these rules would be harmful for consumers and the marketplace . . . . Rather than roll[ing] back protections, we should augment them with renewed FCC vigor and a change to anachronistic barriers to FTC enforcement.”

    Privacy/Cyber Risk & Data Security FTC FCC Federal Issues Agency Rule-Making & Guidance Enforcement

    Share page with AddThis
  • FTC Announces Settlement of More Than $104 Million with Company for Selling Sensitive Financial Information

    Privacy, Cyber Risk & Data Security

    On July 5, the FTC issued a press release announcing a settlement of more than $104 million with a lead generation company for allegedly misleading loan applicants with promises of matching consumers with lenders that could offer the best loan terms. Actually, the FTC asserts, defendants were selling the applications, including sensitive personal information such as Social Security numbers and bank account numbers, to anyone who would pay for them “without regard for how the information would be used or whether it would remain secure.”

    The proposed order accompanying the settlement states that defendants used deceptive and unfair acts or practices in the course of their lead generation activities, and permanently prohibits defendants from misrepresenting financial products or services to consumers. It also enjoins defendants from selling or transferring a consumer’s personal information unless the consumer has provided consent and provides that defendants may not benefit from any consumer information collected before the entry of the order. Further, defendants must destroy all personal consumer information in any form within 30 days after the order.

    In addition to the above settlement terms, the defendants agreed to (i) compliance monitoring, (ii) creating certain records for ten years after the date of entry of the order, and (iii) compliance reporting

    Although defendants have filed for bankruptcy, they agreed that the amount owed to the FTC in the settlement will not be dischargeable.

    Privacy/Cyber Risk & Data Security Courts Consumer Lending Internet Lending FTC

    Share page with AddThis
  • Data Breach Lawsuit Settled for $115 Million

    Privacy, Cyber Risk & Data Security

    On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been compromised. On June 23, Plaintiffs submitted to the court a memorandum in support of the settlement. The settlement, if approved by the court, will provide almost 80,000 proposed class members with extended credit monitoring for at least two years. Additionally, the settlement will require the insurer to “implement or maintain meaningful, specific changes to its data security practices that directly address the security elements that Plaintiffs believe contributed to the breach,” including hiring independent consultants to perform annual IT risk assessments and compliance reviews, and providing the results of those audits to Plaintiffs’ counsel.

    Privacy/Cyber Risk & Data Security Fintech Data Breach Consumer Finance

    Share page with AddThis
  • FCC Proposes $120 Million Fine for Spoofed Robocalls

    Privacy, Cyber Risk & Data Security

    On June 22, the Federal Communications Commission (FCC) announced a proposed fine of $120 million against a telemarketer for violating the Truth in Caller ID Act. The agency claims that the individual made nearly 100 million calls in which he falsified caller ID information in order to display incorrectly the same area code and first three digits as the consumer he was calling. “Neighbor spoofing,” according to the FCC, is an illegal technique used to appear to be calling from the recipient’s own area. If the recipient answered the call, the caller would then offer travel packages falsely claiming to represent well-known hotel and travel companies. The citation and order provides the telemarketer with 30 days to respond to the FCC.

    Privacy/Cyber Risk & Data Security FCC

    Share page with AddThis
  • 15 State Attorneys General Clarify Data Breach Notification Laws

    Privacy, Cyber Risk & Data Security

    On June 5, 15 state attorneys general issued a joint letter to an e-commerce hosting company refuting the company’s assertion in its FAQ provided to online retailers that they are not obligated to notify customers of a data breach in situations where credit card CVV numbers were not disclosed. According to claims made by the attorneys general, the company erroneously stated that, pursuant to the identified states’ data breach notification laws, “there is no obligation to notify in those states . . . if your customers’ CVV data was not exposed.” The attorneys general argued that this is incorrect and stated, “[t]he CVV number does not have to be disclosed to trigger our states’ notification obligations.” The letter noted as an example, New York General Business Law § 899-aa(1)(b)(3), which stipulates that companies must provide notification of a data breach to affected customers when a credit or debit card number plus “any required security code, access code, or password” that would permit access to the account is obtained by an unauthorized party. The attorneys general stated that a CVV code is not a required access code because the card can be used without it. The company is required to provide clarification regarding its FAQ to affected client retailers.

    Privacy/Cyber Risk & Data Security State AG Data Breach Credit Cards Consumer Finance

    Share page with AddThis
  • FTC Announces Settlement with Operators of Tech Support Scam

    Privacy, Cyber Risk & Data Security

    On June 7, the FTC announced two settlements in a pending action brought against defendants who allegedly used pop-up internet ads to deceive consumers into believing their computers were infected and then sold unnecessary technical support services to fix the issues. Under the terms of the settlements (available here and here), the defendants (i) will relinquish assets combined at nearly $6 million to provide restitution to victims, and (ii) are banned from marketing, promoting, or misrepresenting technical support products or services in the future. The settlement is part of the FTC’s ongoing efforts to pursue tech support scams through its Operation Tech Trap initiative. (See previous InfoBytes coverage here.)

    Privacy/Cyber Risk & Data Security FTC Enforcement Settlement Securities Litigation

    Share page with AddThis
  • FTC to Host Third PrivacyCon Event, Issues Call for Presentations

    Privacy, Cyber Risk & Data Security

    On June 8, the FTC announced it will hold its third PrivacyCon, which will “expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government” to explore “the privacy and security implications of emerging technologies, such as the Internet of Things, artificial intelligence and virtual reality.” Specific topics will cover ways to quantify the harm when companies fail to secure consumer information, and how to “balance the costs and benefits of privacy-protective technologies and practices.” Additionally, the FTC issued a call for presentations to receive research and input on a several areas such as (i) the “nature and evolution of privacy and security risks”; (ii) “quantifying costs and benefits of privacy from a consumer perspective” and business perspective; and (iii) “incentives, market failures, and interventions.” Presentation submissions must be made by November 17, 2017. The event will take place on February 28, 2018 in Washington, DC.

    Privacy/Cyber Risk & Data Security FTC Fintech

    Share page with AddThis
  • NASAA to Convene Roundtable on Cybersecurity Developments

    Privacy, Cyber Risk & Data Security

    On May 31, the North American Securities Administrators Association (NASAA) announced it will hold a cybersecurity roundtable for industry experts to discuss latest developments as well as strategies for investment advisers and broker-dealers to protect personal client information. In addition to convening representatives from state securities agencies and the financial services industry, roundtable discussions will also feature representatives from the FBI, Treasury, and the SEC. The event will take place June 23 from 9 a.m. to 3:30 p.m. in Washington, DC. Registration information can be accessed here.

    Privacy/Cyber Risk & Data Security Securities FBI Treasury Department SEC

    Share page with AddThis
  • FFIEC Releases Update to Cybersecurity Assessment Tool to Aid Institution Preparedness

    Privacy, Cyber Risk & Data Security

    On May 31, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT) developed to aid institutions in determining their risk profiles, identifying risks, and determining cybersecurity preparedness. The update details changes made to the FFIEC IT Examination Handbook and provides a revised mapping in Appendix A to the updated Information Security and Management booklets. The press release notes that “[m]anagement of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities’ cybersecurity risk.  Outlined in Appendix A, the CAT is a framework designed to provide a “repeatable and measurable process” to measure cybersecurity in areas such as cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The CAT also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” Financial institutions access addition cybersecurity risk management information here.

    Privacy/Cyber Risk & Data Security FFIEC

    Share page with AddThis

Pages