InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
D.C. Circuit rejects challenge to FTC’s 2016 staff letter on soundboard technology
On April 27, the U.S. Court of Appeals for the D.C. Circuit dismissed a challenge to a November 2016 FTC staff letter, which announced the FTC would treat calls using soundboard technology as robocalls. According to the D.C. Circuit opinion, the FTC’s 2016 staff letter rescinded a 2009 staff letter, which reached the conclusion that soundboard technology was not subject to robocall regulation. The Soundboard Association filed suit, seeking to enjoin the rescission of the 2009 letter, arguing that the 2016 staff letter violated the Administrative Procedures Act (APA) by issuing a legislative rule without notice and comment and that it unconstitutionally restricted speech in violation of the First Amendment. The lower court granted summary judgment for the FTC holding that the 2016 letter did not violate the First Amendment and that the letter was an interpretive rule and therefore not subject to the notice and comment requirements of the APA. Upon appeal, the D.C. Circuit vacated the lower court’s decision and dismissed the action in its entirety, holding that the 2016 letter was not a “final agency action” and therefore, the plaintiffs failed to state a cause of action under the APA.
Court preliminarily approves $80 million settlement for shareholders after global internet company data breach
On May 9, the U.S. District Court for the Northern District of California granted a preliminary approval of a settlement between a global internet media company and its shareholders over alleged securities law violations related to cybersecurity breaches in 2013 and 2014. The $80 million settlement resolves a consolidated shareholder action accusing the company of making misleading statements to shareholders about the company’s data security. According to the order, the settlement applies to all shareholders who acquired the company’s securities between April 30, 2013 and December 14, 2016. As previously covered by InfoBytes, the company was recently ordered by the SEC to pay $35 million to resolve allegations related to the same cybersecurity incidents.
Maryland expands authority over credit reporting agencies
On May 8, Maryland governor Larry Hogan signed HB848, which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the definition of “protected consumer” for purposes of free security freezes to include persons age 85 or older, certain members of the military, and incarcerated individuals. The law also (i) codifies an existing requirement that CRAs register with the Office of the Commissioner of Financial Regulation (OCFR); (ii) allows the OCFR to investigate written consumer complaints against CRAs; and (iii) increases the maximum civil monetary penalty to $1,000 for the first violation and $2,500 for each subsequent violation. The law is effective October 1.
FTC settles with cellphone manufacturer over data security issues
On April 30, the FTC and a Florida cellphone manufacturer entered into a settlement over allegations that the manufacturer allowed third party data collection from customer phones after falsely claiming data collection was limited only to information needed by the third parties to perform requested services. According to the complaint, released at the same time as the settlement, the manufacturer contracted with a Chinese technology company to issue security and operating system updates to the manufacturer’s devices. When issuing those updates, the Chinese company collected and transferred personal information about the device owners without their consent or knowledge, including text messages, call logs, and contact lists. In November 2016, the public became aware of this practice and the manufacturer issued a notice informing its customers that the Chinese company changed its software to no longer collect the personal information. However, the manufacturer allegedly continued to allow this practice on older devices. The FTC alleges that the manufacturer failed to perform adequate due diligence in the selection of the Chinese company and failed to adopt and implement written security standards for their third-party providers. Under the settlement, the manufacturer, among other things, is (i) prohibited from future misrepresentations about security and privacy; (ii) required to establish and implement a comprehensive data security program; and (iii) subject to data security assessments every two years by a third party for the next 20 years.
Senators release report on credit reporting agency from data in CFPB’s public complaint database
On April 30, three Democratic Senate Banking Committee members released a report addressing publicly available complaints the CFPB received regarding the 2017 data breach announcement by a national credit reporting agency. In a letter to the CFPB, which accompanied the release of the report, the Senators encouraged the Bureau to “hold [the credit reporting agency] accountable and act quickly and decisively to protection the millions of consumers harmed by the breach.” Additionally, the Senators make a plea for the CFPB to continue to keep consumer complaints public, citing to recent remarks by Mulvaney that the database would soon be removed from public view. According to the report, within six months of the data breach announcement—which reportedly affected 143 million American consumers—the CFPB received over 20,000 complaints against the company. Of the 20,000 complaints, the issues consumers mentioned include (i) “improper use of a credit report after the breach”; (ii) “incorrect information on credit report”; (iii) “[Company]’s inadequate assistance in resolving problems after the breach”; and (iv) “[Company]’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products.” The report also cites to specific narratives from consumer complaints that were available through the CFPB’s consumer complaint database.
Global internet media company fined $35 million for cybersecurity breach disclosures
On April 24, the SEC ordered a global internet media company, acquired in 2017 by a global communications company, to pay $35 million to settle claims alleging that the company failed to disclose a 2014 cybersecurity breach in which Russian hackers stole data from over 500 million user accounts. Compromised private user information included usernames, email addresses, phone numbers, birthdates, passwords, and security questions and answers. According to the SEC’s cease-and-desist order, during the two years following the breach, the internet media company (i) failed to inform outside counsel or auditors of the breach in order to assess public filing disclosure obligations; (ii) failed to maintain internal disclosure controls and procedures designed to guarantee that the company’s information security team reports addressing actual data breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure; and (iii) made misleading statements in its public filings that warned investors only of the “risk of potential future data breaches” without disclosing the 2014 data breach. The SEC claimed that the disclosure violations continued as acquisition discussions were held in 2016 and resulted in renegotiation of the terms of the company’s sale, including a 7.25 percent reduction in price. The company ultimately disclosed the breach to the public in September of 2016. In agreeing to the settlement, the company neither admitted nor denied the SEC’s findings, except as to the SEC’s jurisdiction over the matter.
9th Circuit denies online retailer’s petition for full panel review of decision on standing in data breach case
On April 20, the U.S. Court of Appeals for the 9th Circuit denied an online retailer’s request to have the full bench reconsider the court’s March 8 ruling, which ruling held that the increased risk of fraud or identity theft from a data breach gave consumers Article III standing to sue. As previously covered by InfoBytes, the underlying action results from a 2012 data breach affecting over 24 million shoppers. Previously, the three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because, among other things, the stolen information provided hackers the “means to commit fraud or identity theft.” The online retailer appealed the decision, asking the full panel to review. The panel disagreed, upholding the previous decision that the plaintiffs sufficiently alleged the risk of future harm.
FDIC OIG releases Special Inquiry Report to address breach response plan
On April 16, the FDIC’s Office of Inspector General (OIG) released its Special Inquiry Report—“The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches”—which contains findings from an examination of the FDIC’s practices and policies related to data security, incident response and reporting, and Congressional interactions. The Special Inquiry Report is the culmination of a request made by the former Chairman of the Senate Committee on Banking, Housing, and Urban Affairs in 2016, and focuses on the circumstances surrounding eight information security incidents that occurred in 2015 and 2016—seven of which involved personally identifiable information and constituted data breaches. An eighth incident involved the removal of “highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization” by a departing FDIC employee.
According to the report, the OIG asserts that, among other things, the FDIC failed to (i) put in place a “comprehensive incident response program and plan” to handle security incidents and breaches; (ii) clearly document risk assessments and decisions associated with data incidents; (iii) fully consider the range of impacts on bank customers whose information was compromised; (iv) promptly notify consumers when an incident occurred and did not adequately consider notifications as a separate decision from whether it would provide credit monitoring services; (v) for at least one incident, failed to convey the seriousness of the breach; and (vi) provide timely, accurate, and complete responses to Congressional requests to gather information about how the agency was handling the incidents.
As a result of these findings, the OIG presented recommendations and timeframes for the FDIC to “address the systemic issues.” Recommendations include: (i) clearly defining roles and responsibilities within the FDIC Breach Response Plan, and establishing procedures “consistent with legal, regulatory, and/or operational requirements for records management”; (ii) establishing a separation between consumer breach notifications and the offer of credit monitoring services; (iii) adhering to established timeframes for reporting incidents to FinCEN when suspicious activity report information has been compromised; (iv) conducting an annual review of the Breach Response Plan to confirm that that the guidance has been consistently followed during the preceding year; (v) developing guidance and training to ensure that employees and contractors are fully aware of the legal consequences of removing any sensitive information from FDIC premises before they depart; (vi) ensuring that FDIC policies, procedures, and practices result in complete, accurate statements and representations to Congress, and updating and correcting prior statements and representations as necessary; (vii) clarifying “legal hold policies and processes”; and (viii) specifying that the Office of Legislative Affairs is responsible for “providing timely responses to Congressional requests and communicating with Congressional staff regarding those requests.”
The FDIC concurred with the recommendations and has completed corrective actions for two, with plans to address the remaining recommendations between June and December of this year. The FDIC has also agreed to keep the OIG informed of the progress made to address the identified performance issues.
House passes measures to address identity theft
On April 18, the House passed H.R. 2905 by a vote of 403-3. The “Justice for Victims of IRS Scams and Identity Theft Act of 2017,” would direct the DOJ and the Treasury Department to submit reports to Congress detailing identity theft prosecutions. The DOJ’s report must contain the number of identity theft cases referred to the agency during the previous five years, along with recommendations for improving fraud deterrence, prevention, and interagency collaboration. The bill would also require Treasury to report on efforts to assist in the prosecution of individuals who fraudulently posed as IRS agents, in addition to trends and resources needed to improve the prosecution of IRS impostors. All reports would be due 120 days after the bill's enactment.
On April 17, the House voted 420-1 to pass H.R. 5192, which would, among other things, require the Social Security Administration to provide a database for financial institutions to validate fraud protection data (an individual’s name, social security number, and date of birth) when attempting to “reduce the prevalence of synthetic identity fraud.” In particular, H.R 5192 is designed to protect the needs of vulnerable consumers, including minors and recent immigrants, and limits inquiries to those with a permissible purpose in accordance with section 604 of the Fair Credit Reporting Act. Further, prior to submitting a verification request, a financial institution must receive electronic consumer consent.
National Institute of Standards and Technology issues updated cybersecurity framework
On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”
As previously covered in InfoBytes, last year President Trump issued an Executive Order directing federal agencies to follow NIST’s Framework to manage cybersecurity risk.