InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Department of Financial Services issues Covid-19 cybersecurity guidance
On April 13, the New York Department of Financial Services issued guidance on cybersecurity awareness during the Covid-19 pandemic. The guidance identifies three areas of heightened risk: (i) remote working, including the risks associated with less secure internet connections, expanded use of less secure personal devices, increased use of video and audio-conferencing applications, and use of unauthorized personal accounts and applications to transmit non-public information; (ii) increased online phishing and fraud attempts; and (iii) increased risk to third party vendors. In accordance with the DFS’s cybersecurity regulation, all regulated entities are instructed to assess these risks and address them appropriately.
D.C. enacts data breach requirements and consumer protections
On March 26, the mayor of the District of Columbia signed Act 23-268 to expand data privacy and consumer protection measures. Among other things, the “Security Breach Protection Amendment Act of 2020” (i) expands the definition of personal information subject to the Act; (ii) specifies the required contents of a security breach notification and requires that written notice of a breach involving 50 or more District residents be provided to the District’s attorney general; (iii) specifies security requirements for the protection of personal information, including for nonaffiliated third-party service providers; (iv) requires consumers to be provided at least 18 months of non-cost identity theft prevention services for data breaches involving the release of a social security or tax identification number; and (v) stipulates that a violation of these requirements is considered an unfair or deceptive trade practice. The Act takes effect following a 30-day congressional review period and publication in the District of Columbia Register.
Texas regulator, industry groups warn of increased cyber risk
On April 8, the Texas Department of Banking, the Independent Bankers Association of Texas and the Texas Bankers Association issued a joint notice warning that cybercriminals and nation state actors use times of crisis to exploit financial institutions. The notice urged institutions to warn employees and customers of social engineering, remind them of when online/virtual meeting platform links are expected and legitimate, and inform them of scams that are preying on Covid-19 fears. The notice also suggested institutions redistribute IT policies to employees and remind them about security expectations, and maintain secure connections for remote workers.
FTC and FCC warn VoIP service providers about illegal Covid-19 robocalls
On April 3, the FTC and the FCC sent letters to three Voice over Internet Protocol (VoIP) service providers, warning the companies to stop sending spam robocall campaigns promoting Covid-19 related scams. According to the agencies, “routing and transmitting illegal robocalls, including Coronavirus-related scam calls, is illegal and may lead to federal law enforcement.” The agencies sent a separate letter to a telecommunications trade association thanking the group for its assistance in identifying the campaigns and relaying a warning that the FCC will authorize U.S. providers to begin blocking calls from the three companies if they do not comply with the agencies’ request within 48 hours after the release of the letter.
FCC orders phone companies to deploy STIR/SHAKEN framework
On March 31, the FCC adopted new rules that will require phone companies in the U.S. to deploy STIR/SHAKEN caller ID authentication framework by June 30, 2021. As previously covered by InfoBytes, the STIR/SHAKEN framework addresses “unlawful spoofing by confirming that a call actually comes from the number indicated in the Caller ID, or at least that the call entered the US network through a particular voice service provider or gateway.” FCC Chairman Ajit Pai endorsed the value of widespread implementation, stating the framework will “reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify—and even block—calls with illegal spoofed caller ID information before those calls reach their subscribers.” The new rules also contain a further notice of proposed rulemaking, which seeks comments on additional efforts to promote caller ID authentication and implement certain sections of the TRACED Act. Among other things, the TRACED Act—signed into law last December (covered by InfoBytes here)—mandated compliance with STIR/SHAKEN for all voice service providers.
District of Columbia permits mortgage brokers and originators to work from home, delays reporting deadlines
On March 27, the District of Columbia Department of Insurance, Securities and Banking issued guidance to mortgage lenders, mortgage brokers and mortgage loan originators permitting them to work from non-licensed branches or locations during the Covid-19 outbreak. The guidance requires the maintenance of appropriate data protection and cybersecurity measures when working remotely. The department also extended the deadline for filing annual reports from March 31 to June 1. Finally, the guidance notes that all evictions of tenants and foreclosed homeowners on or before May 1 are stayed, and required mediation hearings are extended from 90 days to 120 days following the date of mailing of the notice of default.
FINRA provides cybersecurity alert containing measures firms should consider in adjusting to Covid-19
On March 26, FINRA released a cybersecurity alert providing FINRA firms and associated persons with measures they can take to help strengthen their cybersecurity controls in areas where risks may increase in the current environment. The alert contains recommendations concerning the security of office and home networks, computers, and mobile devices. It also addresses common methods of scams and attacks during Covid-19. The alert recommends that firms provide staff with training regarding cybersecurity.
FDIC posts Covid-19 FAQs for bankers and bank customers
On March 19, the FDIC issued FIL-18-2020, which highlights frequently asked questions for bank customers and banks affected by Covid-19. The FAQs, are available on the FDIC’s Covid-19 webpage. Bank customer FAQs cover questions regarding (i) deposit insurance; (ii) customer access to money; (iii) tips for avoiding scams; and (iv) identity theft, among other things. The FAQs for financial institutions cover topics including working with borrowers affected by Covid-19 through payment accommodations, reporting delinquent loans, and operational issues affecting institutions.
Vermont enacts data privacy and consumer protections
On March 5, the Vermont governor signed SB 110 to expand data privacy and consumer protection measures in the state. Among other things, SB 110 (i) expands the definition of personally identifiable information (PII) subject to the Security Breach Notice Act to also include taxpayer identification numbers, passport numbers, military identification card numbers, other government-originated identification numbers “commonly used to verify identity for a commercial transaction,” unique biometric data, and health records; (ii) provides that if a data breach is limited to the unauthorized acquisition of login credentials, data collectors are only required to provide notice to the state attorney general or the Department of Financial Regulation “if the login credentials were acquired directly from the data collector or its agent”; (iii) establishes requirements to ensure consumers are provided notice of a data breach; (iv) adopts online privacy protections for students, including prohibitions on the use of targeted advertising and the sale or rent of student information, as well as responsibilities for operators of online services or mobile applications; and (v) requires that consumer contracts clearly disclose any automatic renewal provisions and allow consumers to easily terminate contracts. SB 110 takes effect July 1.
Maine Bureau of Consumer Credit Protection provides guidance to MLOs
On March 18, the Maine Bureau of Consumer Credit Protection provided interim guidance to MLOs, allowing employees to work from home as long as data security provisions are in place, and physical business records are stored only at the licensed main office. The guidance will be effective through May 1, 2020.