InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Final deadline approaching for NYDFS cybersecurity regulation
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
FINRA provides 2019 risk monitoring and examination guidance
On January 22, the Financial Industry Regulatory Authority (FINRA) issued new guidance on areas member firms should consider when seeking to improve their compliance, supervisory, and risk management programs. The 2019 FINRA Risk Monitoring and Examination Priorities Letter (2019 Priorities Letter) examines both new priorities as well as areas of ongoing concern, including the adequacy of firms’ cybersecurity programs. FINRA notes, however, that the 2019 Priorities Letter does not repeat topics previously addressed in prior letters, and advises member firms that it will continue to review ongoing obligations for compliance. Topics FINRA plans to focus on in the coming year include:
- Firms’ use of regulatory technology to help compliance efforts become “more efficient, effective, and risk-based.” FINRA will work with firms to understand risks and concerns related to supervision and governance systems, third party vendor management, and safeguarding customer data;
- Supervision of digital assets, including coordinating with the SEC to review how firms determine whether a given digital asset is a security and whether firms are implementing adequate controls and supervisions related to digital assets, such as complying with anti-money laundering and Bank Secrecy Act rules and regulations;
- Assessment of firms’ compliance with FinCEN’s Customer Due Diligence rule, which requires firms to identify beneficial owners of legal entity customers (as previously covered by InfoBytes here); and
- Financial risks, including credit risks, funding and liquidity planning.
Massachusetts amends legislation protecting consumers from security breaches
On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:
- Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
- Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
- State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
- Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
- Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
- State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
- Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.
District Court: FCRA lawsuit passes Spokeo test, survives motion to dismiss
On January 8, the U.S. District Court for the Northern District of Illinois denied a bank’s motion to dismiss claims that it had obtained a credit report without a permissible purpose, ruling that the allegations rise above a mere procedural violation of the FCRA. According to the opinion, the consumer alleged that the bank accessed her credit report and obtained personal information, including current and past addresses, birth date, employment history, and telephone numbers, without having a personal business relationship, information to suggest the consumer owed the debt, or receiving consent for the release of the report. The bank argued that the consumer’s claim was only a “bare procedural violation” and not a concrete injury in fact as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Sandler Special Alert). However, the court determined that the consumer’s allegation that the invasion of privacy, which occurred when the bank accessed her credit report from a consumer reporting agency without receiving consent and with no legitimate business reason to do so, “adequately alleges a concrete injury sufficient to confer standing.”
Retailer settles multistate data breach investigation for $1.5 million
On January 8, a national retailer reached a $1.5 million multistate settlement with 43 states and the District of Columbia to resolve an investigation following a 2013 data breach of customer payment card information. According to the Illinois Attorney General’s announcement, the retailer will implement provisions to prevent future breaches, such as (i) complying with Payment Card Industry Data Security Standard requirements; (ii) maintaining a system to collect and monitor network activity; (iii) updating software that maintains and safeguards personal information; and (iv) devaluing payment card information through the use of encryption and tokenization technology to obfuscate payment card data. The retailer must also retain a third-party professional responsible for conducting an information security assessment and report, as well as outlining corrective measures.
District Court: Privacy claims related to incentive compensation sales program can proceed
On December 31, 2018, the U.S. District Court for the District of Utah granted in part and denied in part a national bank’s motion to dismiss putative class action claims concerning the bank’s use of confidential customer information to open deposit and credit card accounts as part of its incentive compensation sales program. (See previous InfoBytes coverage here.) According to the court, the plaintiffs claiming accounts were opened in their name plausibly alleged that the bank benefited from an increase in the number of accounts and products, and disagreed with the bank that the misappropriation of name claim should fail because those plaintiffs’ names and identities had value beyond those of the general public. While the majority of the state claims and all federal claims were dismissed, the court allowed four state claims to remain, including invasion of privacy. However, the court requested that the parties address why it should not decline to exercise jurisdiction over the state law claims following the dismissal of all federal claims.
Additionally, the court dismissed claims brought by “Bystander Plaintiffs” who did not allege the opening of any unauthorized accounts in their names, or claim that their information was ever improperly used or accessed or that they were subject to improper sales practices. Because the Bystander Plaintiffs claimed only that they would not have opened accounts if bank employees had told them about the alleged issues, the court dismissed their claims for lack of Article III standing, reasoning that they did not allege any injury.
Massachusetts Attorney General settles with payment processor over data breach claims
On December 19, the Massachusetts Attorney General announced a $155,000 settlement with a California-based payment processor resolving allegations that the company exposed consumers’ personal information online in violation of consumer protection and data security laws. According to the announcement, the company employees accidently removed password protections from public-facing websites, which exposed consumers’ personal data, such as bank account and social security numbers, addresses, and driver’s license numbers. The Attorney General’s investigation claims that company employees appeared to know of the vulnerability for a year before fixing it. Under the terms of the settlement, the company has agreed to comply with Massachusetts laws and is required to (i) maintain a chief information security officer; (ii) conduct employee training on data security; and (iii) “assess and update information security policies relating to changes to its systems and to external vulnerabilities.”
VA releases Loan Guaranty Red Flag Rules Policy
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28, which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native American Direct Loans, and refunded loans held by the VA. The policy lists categories and warning signs monitored by the VA, such as (i) credit reporting agencies alerts; (ii) suspicious documents that look altered or forged; (iii) suspicious or fictitious personal identifying information; and (iv) account activity inconsistent with established patterns. The policy notes that the VA Office of Inspector General will investigate accounts flagged for possible identity theft. Holds will be placed on the suspicious accounts or transactions as necessary.
The VA is required by the FTC’s Red Flags Rule to develop and implement a written identity theft prevention program. Notably, as previously covered by InfoBytes, the FTC is seeking comments on whether the agency should make changes to the Rule. Comments are due by February 11, 2019.
New York Attorney General settles with five companies over mobile app security failures
On December 14, the New York Attorney General announced settlements with five companies, including a global payment processor, a credit reporting agency, and a credit score company, whose mobile apps allegedly failed to secure sensitive user data. As part of the Attorney General’s initiative to uncover vulnerabilities before a data breach, the office tested dozens of mobile apps that handled consumer information such as credit card and bank account numbers. After testing, the Attorney General determined that certain versions of the five companies’ apps failed to properly authenticate the “SSL/TLS” certificates, which are used to verify the computer’s identity attempting to establish a connection to the mobile device. According to the Attorney General, this failure could allow an attacker to impersonate the companies’ servers and intercept information, including credit card information, entered into the app by the user. The settlement requires the companies to implement a comprehensive security program to protect their users’ information.
FCC to create reassigned number database to reduce unwanted calls
On December 12, the FCC adopted new rules to establish a single, comprehensive database designed to reduce the number of calls inadvertently made to reassigned numbers as part of its strategy to help stop unwanted calls. According to FCC Chairman Ajit Pai, the database would enable callers to verify—prior to placing a call—whether a number has been permanently disconnected and is therefore eligible for reassignment. Currently, callers may be held liable under the TCPA should they call a reassigned number where the new party did not consent to receiving calls. The FCC also announced it will (i) add a safeguard requiring a “minimum ‘aging’ period of 45 days before permanently disconnected telephone numbers can be reassigned”; and (ii) provide a safe harbor from TCPA liability for any calls to reassigned numbers due to database error. However, FCC Commissioner Michael O’Reilly stated that while he supported the creation of the database, he expressed reservations about both the cost and effectiveness, stating “only the honest and legitimate callers will consult the reassigned numbers database—not the criminals and scammers.” O’Reilly suggested developing better, more logical interpretations of the TCPA, asserting that “much more work remains, particularly on narrowing the prior Commission’s ludicrous definition of ‘autodialer,’ and eliminating the lawless revocation of consent rule.”
Additionally, the FCC announced a ruling (see FCC 18-178) denying requests from mass-texting companies and other parties for text messages to be classified as ‘“telecommunications services’ subject to common carrier regulations under the Communication Act.” If the request had been granted, the FCC stated, the classification would have limited wireless providers’ efforts to effectively combat spam and scam robotexts. Rather, the FCC classified SMS and Multimedia Messaging Services as “information services” under the Communications Act, which allows wireless providers the ability to take action to stop unwanted text messages, such as applying filtering technologies to block messages that are likely spam.