Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • New York AG Settles Charges with Tech Company Over WiFi Lock Vulnerabilities

    Privacy, Cyber Risk & Data Security

    On May 22, New York Attorney General Eric T. Schneiderman announced that a Utah-based tech company agreed to settle allegations that, among other things, its wireless doors and padlocks failed to protect consumers’ personal information, leaving consumers vulnerable to hacking and theft. This action marks the first time the Attorney General’s office has taken legal action against a wireless security company for failing to protect private data. Results from an August 2016 study, conducted by independent security researchers, reveal that the tech company’s Bluetooth-enabled locks “transmitted passwords between the locks and the user’s smartphone . . . without encryption” and also contained “weak default passwords.” Both issues allowed perpetrators to intercept passwords and undo the locks. Under the terms of the settlement, the company agreed to reform its data security practices and implement a comprehensive security program.

    Privacy/Cyber Risk & Data Security Enforcement State AG

    Share page with AddThis
  • U.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement

    Privacy, Cyber Risk & Data Security

    On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. According to multiple state attorneys general, this represents the largest multistate data breach deal to date. According to the states’ investigation, the November 2013 security breach occurred when cyberattackers accessed the retailer’s customer service database to install malware that was able to capture consumers’ personal information, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. Under the terms of the Assurance of Voluntary Compliance, the retailer agreed to do the following, including:

    • develop, implement, and maintain a comprehensive Information Security Program (Program) and required safeguards;
    • employ an executive or officer with information security experience responsible for executing the Program and advising the CEO and Board of Directors of security-related issues;
    • develop and implement risk-based policies and procedures for auditing vendor compliance with the Program;
    • maintain and support software on its network for data security purposes;
    • maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
    • segment its cardholder data environment from the rest of its computer network;
    • undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication;
    • deploy and maintain a file integrity monitoring solution; and
    • hire a third-party to conduct a comprehensive security assessment.

    The majority of the terms last five years.

    States involved issued press releases announcing their portions of the settlement. California Attorney General Xavier Becerra stated that California will be receiving more than $1.4 million from the settlement, the largest share of any state. Illinois, which co-led the investigation with the state of Connecticut, will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan, who stated, “Today’s settlement . . . establishes industry standards for companies that process payment cards and maintain secure information about their customers.” Connecticut Attorney General George Jepsen noted that the retailer “deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement. I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”

    Privacy/Cyber Risk & Data Security Enforcement State AG

    Share page with AddThis
  • Acting FTC Chairman Ohlhausen Welcomes New FCC Approach to Internet Openness

    Privacy, Cyber Risk & Data Security

    On May 18, Acting FTC Chairman Maureen Ohlhausen issued a statement on the FCC’s publication of a Notice of Proposed Rulemaking (NPRM) to “reinstate a light-touch regulatory approach protecting Internet openness.” The Notice proposes the following actions: (i) returning to the framework under Title I of the Communications Act instead of following Title II regulatory guidance; (ii) classifying mobile broadband Internet access service as “private mobile service”; and (iii) eliminating Title II’s “vague and expansive” Internet conduct standard, thus eliminating regulatory uncertainty. “I welcome the adoption of this NPRM as further progress toward restoring the FTC’s ability to protect broadband subscribers from unfair and deceptive practices, including violations of their privacy. Those consumer protections were an unfortunate casualty of the FCC’s 2015 decision to subject broadband to utility-style regulation. This new proceeding offers an opportunity to undo that decision and thereby return broadband consumers to the expert protection of the FTC,” stated Chairman Ohlhausen.

    Privacy/Cyber Risk & Data Security FTC FCC

    Share page with AddThis
  • House Passes Cyber Crime Bill

    Privacy, Cyber Risk & Data Security

    On May 16, the U.S. House of Representatives officially approved the Strengthening State and Local Cyber Crime Fighting Act of 2017 (H.R. 1616) in a vote of 408-3. The Act would amend the Homeland Security Act of 2012 to formalize the Secret Service’s National Computer Forensic Institute’s (NCFI) responsibilities for coordinating investigations into cyberattacks and hacks and would provide training and tools for state and local agencies dealing with electronic crime related threats. In an April press release issued by the bill’s sponsor, Rep. John Ratcliffe (R-Tex.), Chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, stated, “The [NCFI] has played a major role in equipping state and local law enforcement officers across the country with the tools they need to address the extra layers of complexity presented by the growing incidences of cybercrime,” Notably, the legislation, which now heads to the Senate, follows the recent international cyberattack that infected computer systems globally with the WannaCry ransomware (see previous InfoBytes coverage here).

    Privacy/Cyber Risk & Data Security U.S. House

    Share page with AddThis
  • Ransomware Attack Has Global Impact, Bipartisan Legislation Introduced to Counter Hacking

    Privacy, Cyber Risk & Data Security

    On May 12, a cyberattack spread around the world, affecting more than 230,000 computers in roughly 150 countries, according to a statement issued by the American Bankers Association. The ransomware, known as “WannaCry,” was used to exploit a vulnerability that affects computers running Microsoft Windows (see Department of Homeland Security Alert). Users of infected computers received a message that their files had been encrypted and that they must pay a ransom in bitcoin in order to decrypt their files. However, as conveyed in a press release issued by the Financial Services - Information Sharing and Analysis Center (FS-ISAC), it appears that the majority of the attacks seem to be targeting and impacting non-financial sector entities globally. FS-ISAC “believes the current attacks utilize known vulnerabilities for which there are available software patches,” but that firms and service providers need to implement the patches. Agencies continue to monitor what may be the first in a series of attacks.

    SEC Office of Compliance and Examinations (OCIE) and FBI Issue Responses. The OCIE released a statement cautioning registrants to be vigilant in mitigating risk, and noted a recent OCIE study that determined a substantial number of registrants did not conduct periodic risk assessments, penetration tests, or vulnerability scans, while a smaller number had not updated critical security patches. The OCIE also provided links to guidance on cybersecurity risk management. Likewise, the FBI issued a bulletin providing guidance on additional protection measures following the attack.

    Bipartisan Legislation Introduced. On May 17, bipartisan legislation was introduced in the House and Senate to add transparency and accountability to the federal government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems. The bill, Protecting our Ability To Counter Hacking (PATCH) Act, follows the apparently leaked NSA hacking tool which opened the door to the global “WannaCry” ransomware attack. It is sponsored by Senators Brian Schatz (D-Haw.),  Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.), and Representatives Ted Lieu (D-Cal.) and Blake Farenthold (R-Tex.). As described in a release issued by Sen. Schatz’s office, the proposed legislation would make the Vulnerabilities Equities Process (VEP) more permanent, while altering its structure. It would also make the Department of Homeland Security the chair of the interagency board overseeing the VEP. Under the bill, the NSA and other security agencies would still be a permanent part of the board, while other agencies and the White House's National Security Council could attend meetings if the board deems it necessary. The established board would also produce a report for Congress on the policies it establishes regarding the disclosure of vulnerabilities no later than 180 days after the enactment of the Act. An unclassified version of the report will be publically available as well. “Striking the balance between U.S. national security and general cybersecurity is critical, but it's not easy,” Sen. Schatz noted. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

    Coalition for Cybersecurity Policy and Law. The legislation has already received support. The Coalition issued the following statement in support of the proposed bill: “We support the goals of the PATCH Act and we look forward to working with Chairman Johnson, Senators Schatz and Gardner, and Reps. Lieu and Farenthold as it moves forward in both chambers. The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery.”

    Privacy/Cyber Risk & Data Security ABA SEC Congress

    Share page with AddThis
  • FTC, Federal, State, and International Partners Announce Crackdown on Tech Support Scams

    Privacy, Cyber Risk & Data Security

    On May 12, the FTC, along with federal, state and international law enforcement partners, announced new enforcement actions in its “Operation Tech Trap” program. The program is designed to crack down on tech support scams that, among other things, deceive consumers into believing their computers are infected with viruses and malware and then charge them for unnecessary repairs. According to FTC, its Operation Tech Trap partners have brought 29 law enforcement actions against deceptive tech support operations in the last year. Among the four new complaints announced on May 12, the FTC has already been granted temporary restraining orders in three of the cases to stop the tech support companies’ deceptive practices, freeze their assets, and appoint a temporary receiver to take control of them.

    The FTC also announced a settlement in a pending action brought by the FTC and the Attorneys General of Connecticut and Pennsylvania against two defendants who allegedly participated in deceptive acts and practices in connection with the advertising, marketing, and sale of computer security or technical support products and services. Under the terms of the settlement, the defendants are subject to a money judgment in excess of $27 million. The stipulated final order has been entered by the U.S. District Court for the Eastern District of Pennsylvania. In addition to the FTC and state cases, DOJ brought federal criminal charges against seven individuals, two of whom have entered guilty pleas, for their participation in an international “Tech Support Scam.” Moreover, with respect to its international efforts, Operation Tech Trap is working with authorities in India to crack down on tech support scammers, and have also instituted consumer and business education outreach initiatives with Australia and Canada.

    Privacy/Cyber Risk & Data Security FTC Enforcement State AG DOJ

    Share page with AddThis
  • FTC Launches New Website for Small Businesses, Provides Resources to Avoid Scams and Cyberattacks

    Privacy, Cyber Risk & Data Security

    On May 9, the FTC announced the launch of its new website——designed to provide useful information so small businesses can protect their networks and customer data from scams and cyberattacks. The website offers specific guidance such as the Small Business Computer Security Basics guide, which shares computer security basics to help companies: (i) protect their files and devices; (ii) train employees to think twice before sharing the business’s account information; (iii) keep their wireless networks protected; and (iv) respond to data breaches. Information on other cyber threats such as ransomware and phishing schemes that target small businesses is also provided. According to the FTC, the U.S. Small Business Administration reports that “there are more than 28 million small businesses nationwide” that are at risk, many of which lack the resources larger companies have to spend on cybersecurity. Further, the FTC noted that Symantec Corp. found that “the percentage of spear-phishing attacks targeting small business rose dramatically from 18 percent to 43 percent between 2011 and 2015.”

    Privacy/Cyber Risk & Data Security FTC Consumer Education

    Share page with AddThis
  • FBI Issues PSA on Social Engineering Scams

    Privacy, Cyber Risk & Data Security

    On May 4, the FBI’s Internet Crime Complaint Center released a public service announcement (I-050417-PSA) citing losses to U.S. businesses of nearly $1.6 billion due to social engineering wire transfer and other payment scams between October 2013 and December 2016, with approximately one fifth of the losses coming in the last seven months of 2016. The FBI defines the crime as Business E-mail Compromise (BEC), a sophisticated scam targeting businesses that regularly perform wire transfer payments and/or work with foreign suppliers, and often specifically involves E-mail Account Compromise (EAC) of individuals that perform wire transfer payments. Victims range from small businesses to large corporations and deal in a wide variety of goods and services. According to the FBI, the five main BEC/EAC scam scenarios are: (i) a business working with a longstanding or trusted foreign supplier, where a perpetrator may impersonate the supplier and seek a change in payment instructions by e-mail, phone or fax; (ii) a high-level business executive whose e-mail account is compromised receiving or initiating a request for a wire transfer; (iii) a third party business contact receiving fraudulent correspondence, such as requests for invoice payment, through a compromised email account; (iv) impersonation of a business executive or attorney; and (v) data theft. The FBI also cites 2016 trends including a 480 percent increase in complaints filed by title companies targeted by scammers as part of a real estate transaction, a 50 percent increase in complaints filed by businesses working with dedicated foreign suppliers, , and a large increase in W-2 and PII phishing occurring during the 2016 tax season.

    Privacy/Cyber Risk & Data Security FBI

    Share page with AddThis
  • American Bankers Association Argues for “Strong, Consistent” National Data Protection Standard

    Privacy, Cyber Risk & Data Security

    In a May 8 letter to Congress, the American Bankers Association (ABA) called on Congress to pursue national data protection standards for companies that handle consumers’ sensitive financial data. The letter notes that the financial sector has an excellent track record in protecting consumer data, citing data from the Identity Theft Resource Center indicating that only 0.2% of records exposed in data breaches were attributable to the financial sector, as opposed to the 81.3% of records exposed at businesses included retail, adding that the industry is highly motivated and under constant oversight to ensure that Federal privacy and data protection laws such as the Gramm-Leach-Bliley Act are followed.  On the other hand, the ABA notes, other industries are not required to protect consumer data under Federal law and have strongly opposed legislation that would add such requirements. The association concludes that a “strong, consistent national standard for fighting data breaches” is necessary to create a “security infrastructure that brings banks, payment networks and retailers together to safeguard sensitive financial data.”

    Privacy/Cyber Risk & Data Security Congress ABA

    Share page with AddThis
  • FINRA Releases New Guidance on Rules Concerning Digital Communications

    Privacy, Cyber Risk & Data Security

    On April 25, FINRA issued new guidance on the application of its rules governing communications with the public concerning social media networking sites and online business communications. In 2010 and 2011, FINRA released Regulatory Notices 10-06 and 11-39 to provide initial guidance on these specific rules, and in 2013, “adopted amendments to Rule 2010 that codif[ied] guidance provided in the Notices with respect to the supervision of interactive social media posts by member firms.” In December 2014, FINRA issued its Respective Rule Review Report, which was designed to “assess whether the communications rules are meeting their intended investor protection objectives . . . and to take steps to maintain or improve the effectiveness of the rules.” FINRA Regulatory Notice 17-18 is the response to the report’s request for additional guidance and provides examples of how FINRA applies its rules to the following topics: text messaging, personal communications, hyperlinks and content sharing, native advertising, online testimonials and endorsements, correction of third-party content, and BrokerCheck. FINRA further notes that Regulatory Notice 17-18 is intended to deliver further guidance and does not alter principles previously provided in prior notices.

    Privacy/Cyber Risk & Data Security FINRA Agency Rulemaking & Guidance Securities

    Share page with AddThis