InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NACHA Bulletin Addresses Reinitiation of Returned Debits
On July 15, the Electronic Payments Association (NACHA), the organization that manages the ACH Network, issued a bulletin that describes the provisions of NACHA’s operating rules regarding the “reinitiation” of returned ACH debit entries and the collection of return fees. With respect to the “reinitiation” of returned ACH debit entries the bulletin outlines the limited circumstances under which the rules permits originators and originating depository financial institutions (ODFIs) to reinitiate returned entries. First, an originator or an ODFI may reinitiate a returned entry up to two times if the entry was returned for reasons of insufficient or uncollected funds. Second, an originator or an ODFI may reinitiate a returned entry for reason of stop payment, but only if the receiver of the entry reauthorized the reinitiation after the return of the original entry. Finally, unless authorization has been revoked, an originator or an ODFI may reinitiate an entry returned for any other reason, as long as the originator or ODFI has corrected or remedied the reason for the return. In instances where authorization has been revoked, an originator or ODFI may not be reinitiated. Additionally, in order for a reinitiation of a returned entry to take place within the ACH Network, it must take place within 180 days of the settlement date of the original entry. With respect to the collection of return fees, the bulletin explains that (i) a return fee entry may be initiated only to the extent permitted by applicable law, and only for an entry that was returned for reasons of insufficient or uncollected funds; (ii) originators and ODFIs must provide specific prior notice prior to charging return fees; (iii) return fees must be specifically labeled as return fees in any entry description; (iv) only one return fee may be assessed with respect to any returned entry; and (v) a return fee may not be assessed with respect to the return of a return fee entry (i.e., no “fees on fees”).
NIST Releases Draft Outline of Cybersecurity Framework
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
California AG Releases Data Breach Report, Proposes Data Security Policy Changes
On July 1, California Attorney General Kamala Harris (AG) released a report analyzing data breaches reported to her office in 2012, the first year companies were required to report to the AG any breach involving more than 500 state residents. The report identifies 131 data breach incidents that put the personal information of 2.5 million individuals at risk. The AG noted that the report is not required by the law, but provides support for the AG’s recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those policy recommendations focus on (i) data encryption, (ii) information security, (iii)notice letters, and (iv) the definition of personal information.
Specifically, the AG claimed that the information for 1.4 million Californians would have been protected if companies had encrypted data, and urges companies to encrypt digital personal information when moving or sending it out of their secure network. The AG pledged to prioritize enforcement investigations of breaches involving unencrypted personal information. The AG’s report notes that a large percentage of breaches surveyed resulted from the failure of information security controls and references requirements under state law to protect the personal information of California residents.
The AG also stated that companies should make their data breach notices to consumers easier to read, and that the state legislature should consider expanding breach notice requirements to cover breaches involving passwords. The AG highlighted a pending bill, SB 46, that would revise the notice requirement’s definition of personal information to require reporting of breaches involving information that would permit access to an online account - user name or email address, in combination with a password or security question and answer. That bill has already passed the state Senate and was approved by the Assembly’s Judiciary Committee. It is scheduled to be considered by the Assembly’s Appropriations Committee on July 3, 2013.
FTC Updates Guidance for Search Engines on Advertising
On June 25, the FTC announced updated guidance for the search engine industry on distinguishing paid search results from natural search results. The updated guidance was in the form of letters sent to seven general purpose search engines and 17 high traffic specialized search engines. The FTC noted that the principles of its original 2002 guidance still apply, but that changes in the search industry and requests from industry and consumer groups led the agency to issue the revised guidance. The guidance states that the failure to clearly and prominently distinguish advertising from natural search results, such as through visual cues, labels, or other techniques, could constitute a deceptive practice. The FTC also noted that the principles of the guidance should be applied to new means used by consumers to search for information, such as social media, mobile applications and voice assistants on mobile devices.
NIST Issues Mobile Device Security Guidelines
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
FTC Chairwoman Announces Senior Personnel Changes
On June 17, FTC Chairwoman Edith Ramirez named several senior staff members, including Jessica Rich as Director of the Bureau of Consumer Protection. Ms. Rich has been with the FTC for more than 20 years and most recently served as Associate Director of the Division of Financial Practices. Prior to that, Ms. Rich was a Deputy Director of the Bureau and has served as the Acting Associate Director and Assistant Director of the Bureau’s Division of Privacy and Identity Protection, among numerous other positions. Ms. Ramirez also named Jonathan E. Nuechterlein as General Counsel. He joins the agency from a large law firm, where he was a partner and chair of the firm’s communications, privacy, and Internet law practice group. He previously was Deputy General Counsel for the FCC and an Assistant to the Solicitor General at the U.S. Department of Justice.
Texas Enacts Stringent Email Privacy Bill
On June 14, Texas enacted HB 2268, which amends current state law relating to “search warrants issued in [that] state and other states for certain customer data, communications, and other related information held in electronic storage” by “electronic communications services and remote computing services” providers. Among other things, the bill requires law enforcement to obtain a warrant to search emails, regardless of the age of the emails. The requirement exceeds the privacy protections granted by the federal Electronic Communications Privacy Act, which allows warrantless searches of emails left unopened for 180 days.
OCC Publishes Community Bank Best Practices Booklet, Holds Webinar on Community Bank Cyber Threats
On June 13, the OCC published a booklet titled “A Common Sense Approach to Community Banking,” which offers best practices the agency believes distinguish high-performing community banks from those that barely survive or fail. The booklet, which previously was distributed to national banks and federal thrifts and now is available on the OCC’s website, focuses on three interrelated areas: (i) risk assessment and management, (ii) strategic planning, and (iii) capital planning. Earlier in the week, the OCC hosted a webinar on cyber threats and vulnerabilities to raise awareness for community banks, and provided a collection of existing regulatory guidance that addresses actions banks should take to help mitigate the risks associated with information security.
FTC Revises Red Flags Identity Theft Rule Business Guide
On June 12, the FTC issued revised guidance to help firms comply with its Red Flags Rule, which requires covered firms to monitor for and respond to certain “red flag” warnings of customer identify theft. The updated guide reflects changes made to the rule last year to more narrowly define the types of creditor subject to the rule.
NIST Seeks Comments on Cloud Computing Security Document
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.