InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
State AGs announce settlement to resolve alleged data security breach
On July 26, a coalition of state attorneys general, co-led by the New Jersey AG and Pennsylvania AG, announced a settlement with a Pennsylvania-based convenience store chain related to an alleged data breach that compromised payment cards of consumers. According to the Assurance of Voluntary Compliance, the company experienced a breach of security between April 2019 and December 2019 that exposed consumer payment card data, including customers’ card numbers, expiration dates and cardholder names in New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia, as well as Washington, D.C. The AGs alleged that the company “failed to employ reasonable data security measures,” in violation of the states’ Consumer Protection Acts and Personal Information Protection Acts. Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay an $8 million fine, of which New Jersey is to receive approximately $2.5 million. The settlement also requires the company to strengthen its network protections and take measures to better protect consumer payment data.
OCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and operational resilience are “top issues for the federal banking system.” The OCC also noted that it has implemented regulations and standards requiring banks to implement information security programs and protect confidential information. For example, the Interagency Guidelines Establishing Standards for Safety and Soundness Standards “require insured banks to have internal controls and information systems appropriate for the size of the institution and for the nature, scope, and risk of its activities and that provide for, among other requirements, effective risk assessment and adequate procedures to safeguard and manage assets.” OCC regulations also, among other things, require banks to file Suspicious Activity Reports when a known or suspected violation of federal law or a suspicious transaction related to illegal activity, or a violation of the Bank Secrecy Act is detected. In regard to examination manuals, the OCC also noted that it uses a risk-based supervision process to evaluate banks’ risk management, identify material and emerging concerns, and require banks to take corrective action when warranted. The report also discussed current and emerging cybersecurity and resilience threats to the banking sector, which include ransomware, account takeover, supply chain risks, and geopolitical threats. Additionally, the OCC noted that it “monitor[s] longer-term technology developments, which may affect cybersecurity and resilience in the future.” The use of artificial intelligence, including machine learning, is one such development that may impact cybersecurity, according to the OCC.
Massachusetts AG orders company to pay $230,000 for data breach
On July 21, the Massachusetts AG announced that a Rhode Island-based job placement service company must pay a $230,000 settlement to resolve allegations that it failed to implement the proper security programs, which led to a data breach. According to the assurance of discontinuance (AOD), the company was breached in December 2020 after an employee was a victim to a phishing email, resulting in a compromise of credentials that allowed hackers to access personal data of users. The AG alleged that the company violated Massachusetts data privacy laws by failing to have a written information security program (WISP) in place during or prior to the data breach. Under the terms of the settlement, the company is required to pay $230,000 in penalties, come into compliance with state laws, continue to implement and maintain a WISP, and continue to train its employees on the importance of personal information security.
Court grants final approval of privacy class action settlement
On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. As previously covered by InfoBytes, the district court granted preliminary approval of the $58 million settlement in November. In granting final approval of the settlement, the court determined it was adequate, and noted that the plaintiffs’ claim that the defendant’s practices breached California’s anti-phishing law was “relatively untested.” In addition to the $58 million settlement fund, the settlement provides for injunctive relief.
House committee advances comprehensive consumer privacy bill
On July 20, the U.S. House Committee on Energy and Commerce voted 53-2 to send H.R. 8152, the American Data Privacy and Protection Act, to the House floor. As previously covered by a Buckley Special Alert, a draft of the bill was released in June, which would, among other things, require companies to collect the least amount of data possible to provide services, implement special protections for minors, and allocate enforcement responsibilities to the FTC. The bill has been revised from its initial draft to allow consumers to bring lawsuits after notifying certain state and federal regulators beginning two years after the law takes effect, which is different from the four-year wait period proposed in the draft. Additionally, the current patchwork of five state privacy laws would be preempted, although under the revised bill California's new privacy agency would be allowed to enforce the federal law. The revised bill also includes a provision that narrows the scope of algorithmic impact assessments required of large data holders to focus on algorithms that pose a “consequential risk of harm.” Additionally, the revised bill includes a more expansive definition of “sensitive data” to include browsing history, race, ethnicity, religion and union membership. It also sets a tiered system of responsibility depending on the size of companies for data related to people under 17.
DOJ reports on cybersecurity and announces seizure of $500,000 from hackers
On July 19, Deputy Attorney General Lisa O. Monaco spoke before the International Conference on Cyber Security (ICCS) 2022 regarding DOJ’s efforts to combat the increase of cyberattacks. Monaco also announced the release of the Comprehensive Cyber Review, which reflects “the need to prioritize prevention, to ensure we are doing all we can to help victims, and above all else – to use all the tools at our disposal, working with partners here and around the globe, across the government and across the private sector.” The report noted that the “failure of certain technology companies” to meet their legal obligations “is a major factor in allowing criminals to escape detection and apprehension.” The report also noted that over the last decade,” companies have “proactively taken independent actions” against cybercriminals without prior coordination with U.S. law enforcement officials. The report argues that “there is no reason that criminal activities in the cyber context should be handled differently than in the real world, where it would almost be unheard of for private companies to observe criminal activity” without informing law enforcement as soon as possible and then working with law enforcement to further identify and disrupt the criminal activity. The report recommends that the Justice Department and U.S. technology companies “develop a voluntary set of principles regarding the proactive and systematic reporting of cybercriminal activities using their platforms.”
Monaco also announced that the FBI and DOJ “disrupted” a North Korean state-sponsored hacking group that targeted U.S. medical facilities and other public health sector organizations. According to the DOJ’s press release, the Department seized $500,000 in cryptocurrency paid as ransom to North Korean hackers who used a ransomware strain to encrypt the files and servers of a medical center in Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.
Coalition of state AGs release comment letter in opposition of federal privacy bills
On July 19, a coalition of state attorneys general, led by the California AG, released a comment letter in opposition to the American Data Privacy and Protection Act (ADPPA), H.R. 8152 and the Consumer Online Privacy Rights Act (COPRA), S. 3195. In the letter, the state AGs argued that, “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation. The AGs expressed concern that the bills, as drafted, “appear to substantially preempt many states’ ability to investigate” federal privacy law violations. Specifically, the AGs argued that while the bills purport to preserve “state consumer laws and causes of action, they also provide that “a violation of this Act shall not be pleaded as an element of any such cause of action.’ The state AGs noted that usually, “a violation of a federal law or standard could also be a violation of state consumer protection law. But [the bills] would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims.” The state AGs consider this language to "unnecessarily interfere with robust enforcement capabilities.”
California’s privacy agency initiates formal CPRA rulemaking
On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during a February meeting that the rulemaking process will extend into the second half of the year.
The July proposed regulations modify definitions in the CCPA regulations; outline restrictions on the collection and use of personal information; provide disclosure and communications requirements; describe requirements for submitting CCPA requests and obtaining consumer consent; amend required privacy notices; provide instructions for the Notice of Right to Limit Use of Sensitive Personal Information; amend methods for handling consumer requests to delete, correct, and know; set forth requirements for opt-out preference signals; and address consumer requests for limiting the use and disclosure of sensitive personal information. Comprehensive details of the modified provisions and proposed regulations are available in previous InfoBytes coverage here.
The CPPA stated in its notice of proposed rulemaking that the proposed regulations serve three primary purposes: to (i) “update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA”; (ii) “operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law”; and (iii) “reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.” The CPPA emphasized that the proposed regulations are designed to factor in privacy laws in other jurisdictions and “implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.” This design, the CPPA said, will simplify compliance for businesses operating across jurisdictions and avoid unnecessary confusion for consumers who may not understand which laws apply to them.
A hearing on the proposed regulations is scheduled for August 24 and 25. Comments are due August 23.
FTC seeks to protect highly sensitive data
On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about users. The FTC noted that aside from location information, which is often automatically generated from consumers’ connected devices, consumers are also actively generating sensitive health information, including personal reproductive data, through apps on their devices. This “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers,” the FTC warned, pointing to the “ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.” Additionally, once the sensitive information is collected, the FTC said that consumers usually have no idea who has access to it, what the information is being used for, or that companies are profiting from the sale of their data. “The misuse of mobile location and health information–including reproductive health data–exposes consumers to significant harm,” the FTC stated. “Criminals can use location or health data to facilitate phishing scams or commit identity theft . . . and may subject people to discrimination, stigma, mental anguish, or other serious harms.” The FTC reminded companies that it is committed to using the full scope of its legal authorities to protect consumers’ privacy and that it “will vigorously enforce the law” to protect the security and privacy of consumers’ personal information. Companies are advised that sensitive information is protected by several federal and state laws and that making claims that data is “anonymous” or “has been anonymized” may be a deceptive trade practice under the FTC Act if untrue.