InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Payment Network Providers Seek Collaboration On Digital Payment Standard
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
California Enacts Children's Online Privacy Legislation
On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.
August Beach Read Series: Growing Mobile Technology Impacts the Financial Services Industry
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Ian Spear discussed the recent guidance and flexible guidelines issued by the FFIEC and FTC.
Federal Privacy Stakeholder Meeting Addresses Mobile Application Transparency
Recently, the multi-stakeholder process established in connection with the White House’s February 2012 privacy report met to discuss mobile application transparency, including a voluntary code of conduct for mobile application developers. The code covers mobile application short form notices intended to provide consumers enhanced transparency about data collection and sharing practices. Application developers that choose to adopt the voluntary code would employ short form notices that describe (i) the collection of types of certain data – including biometrics, browser history, phone or text log, financial information, location, and more – whether or not consumers know that it is being collected, (ii) a means of accessing a long form privacy policy, if any exists, (iii) the sharing of user-specific data, if any, with certain third parties – e.g. consumer data resellers, data analytics providers, ad networks, and government entities, and (iv) the identity of the entity providing the application. In addition to being voluntary, the code exempts common application collection and sharing activities for operational purposes.
FTC Updates Guidance for Search Engines on Advertising
On June 25, the FTC announced updated guidance for the search engine industry on distinguishing paid search results from natural search results. The updated guidance was in the form of letters sent to seven general purpose search engines and 17 high traffic specialized search engines. The FTC noted that the principles of its original 2002 guidance still apply, but that changes in the search industry and requests from industry and consumer groups led the agency to issue the revised guidance. The guidance states that the failure to clearly and prominently distinguish advertising from natural search results, such as through visual cues, labels, or other techniques, could constitute a deceptive practice. The FTC also noted that the principles of the guidance should be applied to new means used by consumers to search for information, such as social media, mobile applications and voice assistants on mobile devices.
NIST Issues Mobile Device Security Guidelines
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
FTC Sends COPPA Update Educational Letters
On May 15, the FTC announced that it sent letters to businesses to help them comply with new requirements under the revised Children’s Online Privacy Protection Act (COPPA) rule. The letters went to 90 businesses whose online services or mobile applications appear to collect personal information from children under 13, as defined by the revised rule. The letters differ depending on whether the business is domestic or foreign, and whether the business collects images or sounds of children, or collects persistent identifiers.
Court Dismisses California AG's First Suit Against Mobile Application Provider Under Online Privacy Protection Act
On May 9, the Superior Court of California dismissed California Attorney General Kamala Harris’ first suit against a company for allegedly failing to comply with the state’s Online Privacy Protection Act. California v. Delta Air Lines Inc., No. 12-526741, Order (Cal. Sup. Ct. May 9, 2013). The state alleged that since at least 2010, Delta Airlines operated a mobile application that allows customers to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claimed that the Delta application collects substantial personally identifiable information without providing a privacy policy. The suit sought an injunction and penalties of up to $2,500 for each violation. Reportedly, the court determined that the suit was preempted by the federal Airline Deregulation Act, which prohibits states from regulating certain airline functions, including, according to Delta and the court, the mobile application at issue in this case. The suit against Delta was filed after the AG sent letters to Delta and numerous other mobile application developers and providers advising those entities of their alleged noncompliance with state privacy law, and forms part of a broader enforcement effort by the AG with regard to online and mobile privacy.
Federal Reserve Board Report Reviews Consumer Use of Mobile Financial Services
On March 27, the Federal Reserve Board presented the findings of a November 2012 online survey of consumers’ use of mobile technology to access financial services and make financial decisions. The report follows a related March 2012 Federal Reserve Board report, and includes the Board’s general findings that (i) mobile phones and mobile Internet access are in widespread use, (ii) the ubiquity of mobile phones is changing the way consumers access financial services, (iii) mobile phones are also changing the way consumers make payments, (iv) security and usefulness concerns continue to be the main impediments to the adoption of mobile financial services, (v) smartphones are changing the way people shop, and (vi) mobile phones are prevalent among unbanked and underbanked consumers. The report points out that the use of mobile phones to make payments at the point of sale has increased more rapidly than the use of mobile phones for banking, and that there is “substantial growth potential” for mobile payments as the ability to make them becomes more widespread.
FTC Announces First Settlement of Privacy-By-Design Case against Device Manufacturer
On February 22, the FTC announced that a mobile device manufacturer agreed to settle charges that it failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. The settlement is the first of its kind obtained by the FTC. The FTC’s complaint alleged that the manufacturer failed to (i) provide its engineering staff with adequate security training, (ii) review or test the software on its mobile devices for potential security vulnerabilities, (iii) follow well-known and commonly accepted secure coding practices, and (iv) establish a process for receiving and addressing vulnerability reports from third parties. The complaint further described several resulting vulnerabilities that allegedly compromised sensitive device functionality and could have permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device. Such malware, according to the FTC, could be used to record and transmit information entered into or stored on the device. The settlement requires the device manufacturer to establish a comprehensive security program and deploy security patches to consumers’ devices. The manufacturer also is prohibited from making any false or misleading statements about the security and privacy of consumers’ data on its devices.