Category Archives: Financial Privacy

FTC Seeks Public Comment on Identity Theft Rules

On December 4, 2018, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on whether any amendments should be made to the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule”) and the duties of card issuers regarding changes of address (“Card Issuers Rule”) (collectively, the “Identity Theft Rules”). The request for comment forms part of the FTC’s systematic review of all current FTC regulations and guides. These periodic reviews seek input from stakeholders on the benefits and costs of specific FTC rules and guides along with information about their regulatory and economic impacts.

The Red Flags Rule requires certain financial entities to develop and implement a written identity theft detection program that can identify and respond to the “red flags” that signal identity theft. The Card Issuers Rule requires that issuers of debit or credit cards (e.g., state credit unions, general retail merchandise stores, colleges and universities, and telecom companies) implement policies and procedures to assess the validity of address change requests if, within a short timeframe after receiving the request, the issuer receives a subsequent request for an additional or replacement card for the same account.

The FTC is seeking comments on multiple issues, including:

  • Is there a continuing need for the specific provisions of the Identity Theft Rules?
  • What benefits have the Identify Theft Rules provided to consumers?
  • What modifications, if any, should be made to the Identify Theft Rules to reduce any costs imposed on consumers?
  • What modifications, if any, should be made to the Identify Theft Rules to increase their benefits to businesses, including small businesses?
  • What evidence is available concerning the degree of industry compliance with the Identify Theft Rules?
  • What modifications, if any, should be made to the Identify Theft Rules to account for changes in relevant technology or economic conditions?

The comment period is open until February 11, 2019, and instructions on how to make a submission to the FTC are included in the notice.

California Enacts Blockchain Legislation

As reported on the Blockchain Legal Resource, California Governor Jerry Brown recently signed into law Assembly Bill No. 2658 for the purpose of further studying blockchain’s application to Californians. In doing so, California joins a growing list of states officially exploring distributed ledger technology.

Specifically, the law requires the Secretary of the Government Operations Agency to convene a blockchain working group prior to July 1, 2019. Under the new law, “blockchain” means “a mathematically secured, chronological and decentralized ledger or database.” In addition to including various representatives from state government, the working group is required to include appointees from the technology industry and non-technology industries, as well as appointees with backgrounds in law, privacy and consumer protection.

Under the new law, which has a sunset date of January 1, 2022, the working group is required to evaluate:

  • the uses of blockchain in state government and California-based businesses;
  • the risks, including privacy risks, associated with the use of blockchain by state government and California-based businesses;
  • the benefits associated with the use of blockchain by state government and California-based businesses;
  • the legal implications associated with the use of blockchain by state government and California-based businesses; and
  • the best practices for enabling blockchain technology to benefit the State of California, California-based businesses and California residents.

In doing so, the working group is required to seek “input from a broad range of stakeholders with a diverse range of interests affected by state policies governing emerging technologies, privacy, business, the courts, the legal community and state government.”

The working group is also tasked with delivering a report to the California Legislature by January 1, 2020, on the potential uses, risks and benefits of blockchain technology by state government and California businesses. Moreover, the report is required to include recommendations for amending relevant provisions of California law that may be impacted by the deployment of blockchain technology.

Hunton Insurance Head Comments on Hotel Data Breach Coverage Dispute

As reported on the Insurance Recovery Blog, Hunton Andrews Kurth insurance practice head Walter Andrews recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.

The decision in St. Paul Fire & Marine Ins. Co. v. Rosen Millennium Inc., which involved a claim for coverage under two general liability insurance policies, turned on whether or not customers’ credit card information obtained from the insured’s payment system had been “made known” and by whom. According to the district court, the insurance policies required that the credit card information be “made known” by the insured, however in this instance, the publication was made by the third-party hackers. As Andrews explained, however, although it was undisputed that Florida law controlled interpretation of Millennium’s policies, the district court based its decision on a prior decision decided under South Carolina law, which differs from Florida law in many fundamental respects. “Florida state law makes it very clear that coverage is meant to be construed in favor of the policyholder where there is ambiguity,” Andrews said. “To me, it’s clear that there were two reasonable interpretations of the insurance policy here.”

Despite the outcome, Andrews noted that there are helpful takeaways from this decision for policyholders and prospective insureds facing potential exposure from cyber events: “Given how strenuously the insurers are fighting to deny coverage for data breach claims, a readable takeaway is that policyholders should consider getting very specific cyber insurance coverage.”

View the district court’s decision, and Andrews’ comments to the Global Data Review.

New Federal Credit Freeze Law Eliminates Fees, Provides for Year-Long Fraud Alerts

Effective September 21, 2018, Section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) requires consumer reporting agencies to provide free credit freezes and year-long fraud alerts to consumers throughout the country. Under the Act, consumer reporting agencies must each set up a webpage designed to enable consumers to request credit freezes, fraud alerts, extended fraud alerts and active duty fraud alerts. The webpage must also give consumers the ability to opt out of the use of information in a consumer report to send the consumer a solicitation of credit or insurance. Consumers may find links to these webpages on the Federal Trade Commission’s Identity Theft website.

The Act also enables parents and guardians to freeze their children’s credit if they are under age 16. Guardians or conservators of incapacitated persons may also request credit freezes on their behalf.

Section 302 of the Act provides additional protections for active duty military. Under this section, consumer reporting agencies must offer free electronic credit monitoring to all active duty military.

For more information, read the FTC’s blog post.

NYDFS Cybersecurity Regulation to Apply to Consumer Reporting Agencies

On June 25, 2018, the New York Department of Financial Services (“NYDFS”) issued a final regulation (the “Regulation”) requiring consumer reporting agencies with “significant operations” in New York to (1) register with NYDFS for the first time and (2) comply with the NYDFS’s cybersecurity regulation. Under the Regulation, consumer reporting agencies that reported on 1,000 or more New York consumers in the preceding year are subject to these requirements, and must register with NYDFS on or before September 1, 2018. The deadline for consumer reporting agencies to come into compliance with the cybersecurity regulation is November 1, 2018. In a statement, Governor Andrew Cuomo said, “Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber attacks, providing them with peace of mind about their financial future.”

Virginia Amends Breach Notification Law Applicable to Income Tax Information

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer’s identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

If an income tax return preparer must notify the Department of a breach, then the preparer must provide the Department with the name and taxpayer identification number of any affected taxpayer, as well as the preparer’s name and preparer tax identification number.

Financial Stability Board to Develop International Cybersecurity Lexicon

On March 20, 2018, the Financial Stability Board (“FSB”) delivered a note to finance ministers and central bank governors from the world’s top 20 economic powers, known as the G-20. The note provides a progress update on the FSB’s work to develop a common vocabulary of cyber terms. 

The FSB is developing the cyber lexicon to address cybersecurity and cyber resilience in the financial sector and hopes that it will boost cross-border cooperation on cybersecurity. The note warned that “malicious use of Information and Communication Technologies…could disrupt financial services crucial to both national and international financial systems, undermine security and confidence and endanger financial stability.”

According to the note, “[t]he FSB has formed a working group, chaired by the U.S. Federal Reserve Board and comprised of approximately 15 members representing a range of financial sectors (banks, financial market infrastructures, securities and insurance) and jurisdictions, to develop the lexicon.”

For more information, including the next steps and indicative time line, read the full note.

FTC Announces Settlement for Venmo’s Alleged Violations of the GLBA’s Privacy and Safeguards Rules

On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules.

The FTC’s complaint alleged that Venmo violated the Privacy Rule in three separate ways. First, Venmo failed to provide a clear and conspicuous privacy notice that “did not call attention to the nature and significance of the nature of the notice.” Rather, the privacy notice in Venmo’s mobile application (the “Venmo App”) was in grey text on a light grey background that was not conspicuous to Venmo users. Second, Venmo did not provide an accurate notice that describes how Venmo shares the user’s personal information. Venmo’s privacy notice stated that it only shared users’ personal information with members of their Venmo “social web” if they designated their account transactions as “public.” Instead, Venmo shared this information by default with everyone online, including individuals who did not have a Venmo account. Finally, Venmo did not deliver the initial privacy notice in a manner that each customer could reasonably be expected to receive it. The privacy notice was included as a hyperlink in the Venmo App, but users were not required to acknowledge its receipt “as a necessary step to obtaining a financial product or service.”

The FTC complaint also alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed.

In the settlement, Venmo is prohibited from misrepresenting the level of protection provided by its privacy settings and the extent to which Venmo implements or adheres to a particular level of security. Venmo is also prohibited from violating the Privacy Rule and the Safeguards Rule and is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.

In announcing the settlement, Acting FTC Chairwoman Maureen K. Ohlhausen noted that consumers suffered real harm from Venmo’s misrepresentations and stated that “this case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”

NY Department of Financial Services Issues Reminder for Cybersecurity Filing Deadline

On January 22, 2018, the New York Department of Financial Services (“NYDFS”) issued a press release reminding entities covered by its cybersecurity regulation that the first certification of compliance with the regulation is due on or prior to February 15, 2018. Covered entities must file the certification, which covers the 2017 calendar year, at the NYDFS online portal.

Maria T. Vullo, the Superintendent of the NYDFS, noted the critical importance of the certification of compliance and stated that “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with regulatory standards and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications. DFS’s goal is to prevent cybersecurity attacks, and we therefore will now include cybersecurity in all DFS examinations to ensure that proper cybersecurity governance is being practiced by our regulated entities. As DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cyber criminals.”

Superintendent Vullo also announced that the NYDFS will incorporate cybersecurity in all of its regulatory examinations. This includes adding questions related to cybersecurity to “first day letters,” which are notices that the NYDFS issues to commence its examinations of financial services companies, including examinations of banks and insurance companies for safety and soundness and market conduct.

Read more about other key deadlines for the NYDFS cybersecurity regulation.

FTC Announces Settlement with Tax Prep Service over Financial Privacy and Security Violations

On November 8, 2017, the FTC announced a settlement with Georgia-based online tax preparation service, TaxSlayer, LLC (“TaxSlayer”), regarding allegations that the company violated federal rules on financial privacy and data security. According to the FTC’s complaint, malicious hackers were able to gain full access to nearly 9,000 TaxSlayer user accounts between October 2015 and December 2015. The hackers allegedly used the personal information contained in the users’ accounts, including contact information, Social Security numbers and financial information, to engage in tax identify theft and obtain tax refunds through filing fraudulent tax returns. The FTC charged TaxSlayer with violating the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule. 

The Safeguards Rule requires financial institutions to implement appropriate safeguards, including a comprehensive written information security program, to protect the security, confidentiality and integrity of customer information. The Privacy Rule requires financial institutions to provide consumers with clear and conspicuous initial and annual privacy notices, which must include specified information about the institution’s personal information practices. The FTC alleged that TaxSlayer violated the Safeguards Rule by, among other things, failing to (1) implement a written information security program, (2) conduct a risk assessment and (3) implement information safeguards to control the risks to customer information from inadequate authentication. The FTC alleged that TaxSlayer violated the Privacy Rule by (1) hiding its privacy policy towards the end of a long License Agreement and not conveying the importance, nature and relevance of the privacy policy to its customers, and (2) failing to deliver the privacy policy so that each customer could reasonably be expected to receive actual notice (such as by requiring customers to acknowledge receipt of the initial notice as a necessary step to obtaining TaxSlayer’s services).

As part of the settlement, TaxSlayer is prohibited from violating the Safeguards Rule and the Privacy Rule for 20 years, and for 10 years must obtain biennial third-party assessments of its compliance with these rules.

FTC Announces Settlement with Lenovo Regarding Preinstalled Laptop Software

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. 

In its complaint, the FTC charged that, since August 2014, Lenovo sold consumer laptops in the United States with a preinstalled “man-in-the-middle” software program, known as VisualDiscovery and sold by a third-party software company, that delivered pop-up advertisements from the software company’s retail partners whenever a user placed the laptop’s cursor over a similar product on a website. The FTC charged that the software was able to access consumers’ sensitive personal information transmitted online, including login credentials, Social Security numbers, medical information and financial and payment card information, in order to deliver the targeted advertisements. Further, the FTC charged that, to facilitate the display of pop-up advertisements on encrypted websites, the software “used an insecure method to replace digital certificates for those websites with its own VisualDiscovery-signed certificates,” but failed to authenticate the validity of websites’ digital certificates before replacing them. This prevented consumers’ Internet browsers from warning them when they visited potentially spoofed or malicious websites. According to the FTC, Lenovo sold laptops with the VisualDiscovery software without discovering the security vulnerabilities “because it failed to assess and address security risks created by” VisualDiscovery.

The Settlement prohibits Lenovo from future misrepresentations of preloaded software on its laptops that will inject advertising or transmit sensitive consumer information to third parties. In addition, the Settlement requires Lenovo to obtain consumers’ affirmative consent before preloading this type of software onto laptops. Lenovo also must implement a comprehensive software security program for most preloaded consumer software and be subject to third-party audits for 20 years. The Settlement will be subject to public comment until October 5, 2017, after which the FTC will determine whether to finalize it.

SEC Risk Alert Highlights Cybersecurity Improvements and Suggested Best Practices

On August 7, 2017, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert examining the cybersecurity policies and procedures of 75 broker-dealers, investment advisers and investment companies (collectively, the “firms”). The Risk Alert builds on OCIE’s 2014 Cybersecurity Initiative, a prior cybersecurity examination of the firms, and notes that while OCIE “observed increased cybersecurity preparedness” among the firms since 2014, it “also observed areas where compliance and oversight could be improved.”

Key improvements observed included:

  • use of periodic risk assessments, penetration tests and vulnerability scans of critical systems to identify cybersecurity threats and vulnerabilities, as well as potential business consequences of a cybersecurity incident;
  • procedures for regular system maintenance, including software patching, to address security updates;
  • implementation of written policies and procedures, including response plans and defined roles and responsibilities, for addressing cybersecurity incidents; and
  • vendor risk assessments conducted at the outset of an engagement with a vendor and often updated periodically throughout the business relationship.

Key issues observed included:

  • failure to reasonably tailor written policies and procedures (e.g., many policies and procedures were written vaguely or broadly, with limited examples of safeguards and limited procedures for policy implementation);
  • failure to adhere to or enforce written policies and procedures, or failure to ensure that such policies and procedures reflected firms’ actual practices;
  • failure to timely remediate high-risk findings of penetration tests and vulnerability scans; and
  • use of outdated operating systems that no were longer supported by security patches.

In addition, the Risk Alert included a list of best practices identified by OCIE as elements of robust cybersecurity programs. These included maintaining:

  • an inventory of data, information and vendors;
  • instructions for various aspects of cybersecurity protocols, including security monitoring, auditing and testing, as well as incident reporting;
  • schedules and processes for cybersecurity testing; and
  • “established and enforced” access controls to data and systems.

OCIE further noted that robust cybersecurity programs may include mandatory employee training and vetting and approval of policies and procedures by senior management. OCIE indicated in the Risk Alert that its list of cybersecurity program best practices is not intended to be exhaustive.

OCIE noted that it will continue to prioritize cybersecurity compliance and will examine firms’ procedures and controls, “including testing the implementation of those procedures and controls at firms.”

SEC Warns Initial Coin Offerings May Be Subject to U.S. Federal Securities Laws

In 2017, over $1.3 billion has been raised by start-ups through Initial Coin Offerings (“ICOs”), a relatively new form of financing technique in which a company (typically one operating in the digital currency space) seeking to raise seed money makes a “token” available for sale, and the token gives the purchaser some future right in the business or other benefit. Amidst much anticipation, on July 25, 2017, the Securities and Exchange Commission (“SEC”) released a Report of Investigation (“Report”) under Section 21(a) of the Securities Exchange Act of 1934 warning the market that “tokens” issued in ICOs may be “securities” such that the full breadth of the U.S. federal securities laws may apply to their offer and sale. The Report and a simultaneously released Investor Bulletin offer guidance and serve as a notice to the market that the SEC will be policing this new financing technique.

Read the full client alert.

Lead Generation Business Settles FTC Charges That It Unlawfully Sold Consumer Data

On July 5, 2017, the FTC announced that Blue Global Media, LLC (“Blue Global”) agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure. According to the FTC’s complaint, Blue Global claimed it would connect loan applicants to lenders from its network of over 100 lenders in an effort to offer applicants the best terms. In reality, Blue Global “sold very few of the loan applications to lenders; did not match applications based on loan rates or terms; and sold the loan applications to the first buyer willing to pay for them.” The FTC alleged that, contrary to Blue Global’s representations, the company provided consumers’ sensitive information—including SSN and bank account number—to buyers without consumers’ knowledge or consent. The FTC further alleged that, upon receiving complaints from consumers that their personal information was being misused, Blue Global failed to investigate or take action to prevent harm to consumers.

The terms of the settlement prohibit Blue Global from misrepresenting (1) its ability to assist consumers in obtaining loans with favorable rates and terms; (2) that it will protect and secure consumers’ personal information and (3) the types of businesses with which Blue Global shares consumers’ personal information. The settlement further requires Blue Global to “investigate and verify the identity of businesses to which they disclose consumers’ sensitive information” and to obtain consumers’ informed consent for these disclosures. The settlement also includes a judgment for more than $104 million, suspended due to Blue Global’s inability to pay.

Chipotle Payment Card Data Breach: Financial Institutions File Leapfrog Suit

On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology. 

Alcoa asserts claims for negligence and negligence per se. Both claims rest on, among other bases, a purported violation of Section 5 of the FTC Act. Alcoa also requests declaratory and injunctive relief. The alleged damages include the costs of providing replacement cards, costs for consumer fraud monitoring, reimbursement of fraudulent charges, and costs due to lost interest and transaction fees due to reduced card usage.

Very few financial institution cases have been filed in the wake of consumer data breaches. However, such cases have been increasing due to a number of payment card data breaches in fairly rapid succession, including many massive breaches. These circumstances can create added costs for financial institutions that may not be fully recoverable through their direct relationships with the card brands. Additionally, because the financial institutions typically do not have contractual relationships with the breached merchants, some have chosen to leapfrog the various recovery processes established by the card brands by alleging non-contractual common law tort claims such as negligence and negligence per se.

Colorado Publishes Cybersecurity Regulations for Financial Institutions

Recently, the Colorado Division of Securities (the “Division”) published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.

The regulations obligate covered broker-dealers and investment advisers to establish and maintain written cybersecurity procedures designed to protect “confidential personal information” which is defined to include a Colorado resident’s first name or first initial and last name, plus (1) Social Security number; (2) driver’s license number or identification card number; (3) account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) digitized or other electronic signature or (5) user name, unique identifier or electronic mail address in combination with a password, access code security question or other authentication information that would permit access to an online account.

The cybersecurity procedures must include:

  • an annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity and availability of confidential personal information;
  • the use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
  • authentication practices for employee access to electronic communications, databases and media;
  • procedures for authenticating client instructions received via electronic communication; and
  • disclosure to clients of the risks of using electronic communications.

In determining whether a firm’s cybersecurity procedures are reasonably designed, the Division may consider the firm’s size, relationships with third parties and cybersecurity policies and procedures. The Division may also consider the firm’s (1) authentication practices, (2) use of electronic communications, (3) use of automatic locking mechanisms for devices that have access to confidential personal information and (4) process for reporting lost or stolen devices.

The Colorado Secretary of State will set an effective date for the Colorado regulations after the Colorado Attorney General’s office issues an opinion on the regulations.

New York Publishes FAQs and Key Dates for Cybersecurity Regulation

Earlier this month, the New York State Department of Financial Services (“NYDFS”) recently published FAQs and key dates for its cybersecurity regulation (the “NYDFS Regulation”) for financial institutions that became effective on March 1, 2017.

The FAQs address topics including:

  • whether a covered entity is required to give notice to consumers affected by a cybersecurity event;
  • whether a covered entity may adopt portions of an affiliate’s cybersecurity program without adopting all of it;
  • whether DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the NYDFS Regulation;
  • what constitutes “continuous monitoring” for purposes of the NYDFS Regulation;
  • how a covered entity should submit Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events; and
  • whether an entity can be both a covered entity and a third-party service provider under the NYDFS Regulation.

The NYDFS also listed key dates for the NYDFS Regulation, which include:

  • March 1, 2017 – the NYDFS Regulation becomes effective.
  • August 28, 2017 – the 180-day transitional period ends and covered entities are required to be in compliance with requirements of the NYDFS Regulation unless otherwise specified.
  • September 27, 2017 – the initial 30-day period for filing Notices of Exemption ends.
  • February 15, 2018 – covered entities are required to submit the first certification under the NYDFS Regulation on or prior to this date.
  • March 1, 2018 – the one year transitional period ends. Covered entities are required to comply with certain requirements such as those related to penetration testing, vulnerability assessments, risk assessment and cybersecurity training.
  • September 3, 2018 – the eighteen month transitional period ends. Covered entities are required to comply with audit trail, data retention and encryption requirements.
  • March 1, 2019 – the two year transitional period ends. Covered entities are required to develop a third-party service provider compliance program.

In a recent conference of the National Association of Insurance Commissioners, Maria Vullo, the NYDFS superintendent, stated that “The New York regulation is a road map with rules of the road.”

Virginia Adds State Income Tax Provision to Data Breach Notification Law

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. 

The amendment contains a harm threshold, requiring notification when such unauthorized access and acquisition compromises the confidentiality of the data and causes, or reasonably will cause, identity theft or fraud. For employers, the amendment applies only to the employer’s Virginia employees, and not to information regarding the employer’s customers or non-employees. Notification to the Virginia Office of the Attorney General must be made “without unreasonable delay” and must include the name and federal employer identification number of the employer that may be affected by the incident. The amendment requires notification only to the Virginia Office of the Attorney General, and not affected individuals. The amendment takes effect on July 1, 2017.

NY Attorney General Announces Record Number of Data Breach Notices in 2016

On March 21, 2017, New York Attorney General Eric Schneiderman announced that the New York Office of the Attorney General received over 1,300 data breach notifications in 2016, a 60 percent increase from 2015. The reported breaches led to the exposure of personal information of 1.6 million New York residents. According to the Attorney General’s report, 46 percent of the exposed personal information consisted of Social Security numbers, and 35 percent consisted of financial account information. Attorney General Schneiderman cited the updated New York State Department of Financial Services Cybersecurity Regulation as a means of addressing financial data breaches.

Webinar Recording Available on the NYDFS Regulations

On March 9, 2017, AllClear ID hosted a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to and recover from data security events.

Sotto and AllClear ID founder and chief executive officer, Bo Holland, discussed the key areas your business should address first in this new regulatory environment. Sotto points out that these regulations will “affect companies far and wide,” including “any vendor that touches a New York banking, insurance or financial organization.”

View a recording of the webinar and download the presentation materials.

Home Depot Settles Data Breach Claims

On March 9, 2017,  Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

The 2014 data breach involved the theft of Home Depot customers’ personal information, including names, payment card numbers, expiration dates and security codes. Approximately 56 million payment card numbers were compromised. This information was sold to identity thieves, who used it to make fraudulent transactions. As a result, financial institutions were required to take steps such as cancelling the compromised cards and reimbursing customers for fraudulent charges.

As part of the settlement, Home Depot will pay $25 million into a fund that will be distributed to financial institutions that have not released all of their claims, and pay up to $2.25 million to certain financial institutions whose claims were released by a sponsor in connection with MasterCard’s Account Data Compromise program. Home Depot also will be required to, for at least two years, implement additional data security measures. Specifically, Home Depot must:

  • implement an appropriate, industry-recognized security control framework;
  • develop a program to ensure that its vendors with access to payment card information treat the information securely; and
  • apply safeguards to address risks identified by its risk assessments, and track and manage such assessments through a process involving Home Depot leadership.

In addition to these settlement terms, in March 2016 Home Depot agreed to settle consumers’ claims by paying $13 million, funding identity protection services and undertaking certain data security measures.

The New Cybersecurity Landscape: What the NYDFS Regulations Really Mean for Your Business

On March 9, 2017, AllClear ID will host a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations will impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to, and recover from data security events. To be compliant, businesses will need to rethink their cybersecurity programs in light of the many granular requirements in the NYDFS regulations. Join Lisa J. Sotto and AllClear ID founder and chief executive officer, Bo Holland, for a discussion on the key areas your business should address first in this new regulatory environment, including best practices for breach readiness, response and recovery.

Register for the webinar now.

FINRA Issues $14.4 Million in Fines for Inadequate Record Storage Practices

On December 21, 2016, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined 12 financial institutions a total of $14.4 million for improper storage of electronic broker-dealer and customer records. Federal securities law and FINRA rules require that business-related electronic records be kept in “write once, read many” (“WORM”) format, which prevents alteration or destruction. FINRA found that the 12 sanctioned firms had failed to store such records in WORM format, in many cases for extended periods of time.

According to FINRA’s press release about the sanctions, it found that “each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.” Preventing the alteration or destruction of electronic brokerage records is, as the SEC has previously stated, “the primary means of monitoring compliance with applicable securities laws.” Further, as FINRA noted, these records contain sensitive financial data that is increasingly vulnerable to “aggressive attempts to hack into electronic data repositories.”

The individual fines ranged from $500,000 to $4 million. Brad Bennett, FINRA’s Executive Vice President and Chief of Enforcement, said of the fines, “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records.”

New York Updates Cybersecurity Regulation for Financial Institutions

On December 28, 2016, the New York State Department of Financial Services (“DFS”) announced an updated version of its cybersecurity regulation for financial institutions (the “Updated Regulation”). The Updated Regulation will become effective on March 1, 2017.

Key changes from the version that was published in September 2016 include:

  • providing a definition of a “Third-Party Service Provider”;
  • modifying the definition of “Nonpublic Information” to make it consistent with the definition of private information under New York’s state breach notification law;
  • adding “asset inventory and device management” to the list of required components of a covered entity’s cybersecurity policy;
  • permitting a covered entity’s Chief Information Security Officer to be employed by an affiliate of the covered entity or by a service provider;
  • limiting the requirement for a covered entity to maintain audit trails to cover only cybersecurity events “that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity”;
  • eliminating the obligation for covered entities to require multi-factor authentication for employees accessing internal databases; and
  • adding a notice of exemption form that covered entities may complete and file with DFS if they believe they are exempt from specific sections of the regulations.

In announcing the Updated Regulation, DFS Superintendent Maria T. Vullo stated that the Updated Regulation “allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

The Updated Regulation will be finalized in January 2017 following a 30-day notice and public comment period and will become effective on March 1, 2017.

SEC Charges Chinese Traders with Trading on Information Stolen from Law Firms

On December 27, 2016, the Securities and Exchange Commission (“SEC”) announced charges against three Chinese traders who allegedly made almost $3 million in illegal profits by fraudulently trading on nonpublic information that had been hacked from two New York-based law firms. This is the first action in which the SEC has brought charges in connection with an incident involving hacking into a law firm’s computer network.

The charges stem from allegations that the traders used malware to hack into the law firms’ networks and steal confidential information relating to clients’ potential M&A transactions from firm email accounts. The traders then allegedly used the stolen information to purchase shares in several public companies ahead of announcements about those companies entering into merger agreements.

Antonia Chion, Associate Director of the SEC’s Division of Enforcement, noted that the action “serves as a stark reminder to companies and firms that your networks can be vulnerable targets.”

The U.S. Attorney for the Southern District of New York is bringing criminal charges against the traders.

FINRA Fines Brokerage Firm $650,000 After Cyber Attack

On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.

In 2012, hackers with foreign IP addresses accessed LFS’s cloud server and stole confidential records of approximately 5,400 customers. The stolen records included account applications and other brokerage records containing customers’ nonpublic personal information, including Social Security numbers. LFS timely notified affected individuals and FINRA about the breach and, to date, there is no evidence of any misuse of customer information resulting from the theft. In the Settlement, however, FINRA alleged that LFS failed to implement and maintain adequate cybersecurity procedures, including written supervisory procedures, designed to protect confidential customer information stored on electronic systems in violation of FINRA Rules 3110 and 2010. FINRA alleged that when LFS began storing records on cloud-based servers in 2011, LFS failed to ensure that the third-party vendor retained to configure the cloud system properly installed antivirus software or data encryption for the confidential information, and that this failure led to the 2012 hack.

Under the terms of the Settlement, LFS will pay a $650,000 penalty to FINRA. In addition, LFS is required to review its written supervisory procedures and security systems and implement all necessary changes to enhance security. LFS previously was fined $450,000 by FINRA in 2011 for failing to establish adequate procedures to protect confidential customer information stored on its web-based electronic portfolio management system.

Tesco Bank Hack Illustrates Need for Robust Cyber Insurance

As reported on the Insurance Recovery blog, earlier this week, retailer Tesco Plc’s (“Tesco”) banking branch reported that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss still is being investigated by UK authorities, but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that cyber-related losses are a real threat to retailers and other industries. According to reports, Tesco spent £500 million (approximately $618 million) building up its technology platform over the past seven years. Even that very substantial expenditure was not enough, however, to prevent the recent hack, illustrating the need for robust cyber insurance as a component of any comprehensive cyber protection program.

FinCEN Issues Advisory on SAR Reporting Obligations Involving Cyber Crime

On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.

Reporting Cyber-Enabled Crime and Cyber Events

In addition to maintaining cyber-related SAR-filing obligations stipulated by their functional regulator, financial institutions are mandated to report suspicious “cyber events” or “cyber-enabled crime” involving or aggregating $5,000 or more in funds or other assets and conducted or attempted by, at or through the institutions. The key terms are defined as follows:

  • Cyber Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information.
  • Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.

Illustrative examples provided in the Advisory indicate that the value of a cyber event to be noted in the SAR (and used to trigger the $5,000 threshold) is the amount of customer funds at risk based on the information targeted by the intrusion. Banks also are encouraged to voluntarily report “egregious, significant, or damaging cyber events and cyber-enabled crime” that may not require the filing of an SAR, such as an attack that disables an institution’s online banking services for a significant period but does not pose any risk to transactions. FinCEN states that such SAR reporting is highly valuable to law enforcement investigations even though the intelligence does not relate to specific transactions.

Read the full client alert.

Court Rules Fraud Involving a Computer Is Not ‘Computer Fraud’ under Crime Protection Policy

On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy.

Background

An employee at Apache Corporation, an oil production company based in Houston, Texas, with worldwide operations, received a telephone call from an individual identifying himself as a representative of Petrofac, a vendor of Apache. The caller instructed the Apache employee to change the bank account to which payments to Petrofac were made. The employee requested that confirmation of the change request be provided on Petrofac’s letterhead.

Shortly thereafter, the fraudsters provided the Apache accounts-payable department with an email of the request on Petrofac letterhead. The letter also included a phony telephone number, which Apache personnel used to confirm the requested change. Apache then proceeded to make payment to the fraudulent account when it came time to pay Petrofac’s invoices. Within one month, Apache was notified that Petrofac had not received approximately $7 million in payments that had been sent to the fraudulent account. Apache recouped a portion of the payments from its bank and attempted to recover the balance from its insurer.

Apache was insured under a crime-protection insurance policy issued by Great American Insurance Company (“GAIC”). Apache submitted a claim to GAIC for reimbursement of the unrecovered funds under the policy’s computer-fraud coverage, which afforded coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer” of money or property to a person or place outside the company. GAIC denied coverage, claiming that the loss did not directly result from the use of a computer nor did the use of a computer cause the transfer of the funds. Apache filed suit in Texas state court and GAIC removed. The federal district court sided with Apache and held that the intervening steps of the phone call and approval of the change request by Apache’s supervisors did not alter the fact that the fraudsters used a computer to perpetrate the fraud. The district court also held that GAIC’s construction of the policy would effectively limit the policy to affording coverage only for computer hacking, thus rendering the policy “pointless.”

Read the full alert.

Federal Regulators Propose New Cybersecurity Rule for Big Banks

On October 19, 2016, the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve System (the “Fed”) and Office of the Comptroller of the Currency issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks with assets totaling more than $50 billion (the “Proposed Standards”).

The Proposed Standards address five categories of cybersecurity: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. The Proposed Standards would require covered entities to develop written, board-approved cybersecurity strategies to hold senior management accountable and incorporate procedures for independent risk management reporting to the company’s chief risk officer. Covered entities would also be required to define internal and external cyber risks and develop resiliency plans to ensure continued operation of critical business functions during a cyber incident.

The Proposed Standards include a two-tiered system that establishes more stringent requirements for systems of those covered entities that are deemed “critical to the financial sector.” Under these more stringent requirements, covered entities would be obligated to implement the “most effective, commercially available controls” on sector-critical systems and establish a test-validated two-hour time period for such systems to “recover from a disruptive, corruptive, or destructive cyber event.”

The Proposed Standards would apply to companies with total consolidated assets of at least $50 billion, as well as to Fed-supervised non-bank financial companies, financial market infrastructures and financial market utilities (as designated by the Financial Stability Oversight Council) and third parties who provide services to these firms. Community banks would not be subject to the Proposed Standards. FDIC Chairman Martin J. Gruenberg released a statement praising the issuance of the Proposed Standards, stating, “The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”

Comments on the Proposed Standards are due January 17, 2017.

G-7 Endorses Best Practices for Bank Cybersecurity

On October 11, 2016, Group of Seven (“G-7”) financial leaders endorsed the Fundamental Elements of Cybersecurity for the Financial Sector (“Best Practices”), a set of non-binding best practices for banks and financial institutions to address cybersecurity threats. The endorsement was motivated by recent large hacks on international banks, including the February 2016 theft of $81 million from the central bank of Bangladesh’s account at the New York Federal Reserve.

The Best Practices are divided into eight elements designed to help financial institutions tailor their cybersecurity practices to their specific operations, the relevant threat landscape, their role in the financial sector and legal and regulatory requirements. The elements include:

  • establishing and maintaining a cybersecurity strategy and framework tailored to specific risks and relevant, applicable laws;
  • defining and facilitating roles and responsibilities of governance personnel (e.g., boards of directors);
  • assessing risks and controls to protect against those risks;
  • establishing systematic monitoring processes to rapidly detect cyber threats and evaluate the effectiveness of existing controls;
  • maintaining response procedures to timely identify, assess and contain a cyber incident and make required notifications;
  • resuming normal operations responsibly with an eye toward continued remediation;
  • sharing reliable cybersecurity information with internal and external stakeholders; and
  • reviewing institutional cybersecurity policies and procedures regularly to address changes in cyber risks and resource allocations, and to amend procedures as necessary based on lessons learned.

The Best Practices emphasize the need for flexibility in the face of ever-evolving cyber threats, and stress that financial institutions should continuously re-assess their cybersecurity strategies and practices to effectively combat such threats.

Federal Reserve Board Chairman Stanley Fisher praised the G-7’s endorsement of the Best Practices, stating that, “The international financial architecture is only as strong as its weakest link and that is why the United States should work with our partners around the world to bolster their information security and resiliency…These elements are a crucial step in further hardening each link in the chain of our global financial system.”

FTC Seeks Input on GLB Safeguards Rule

On August 29, 2016, the Federal Trade Commission announced that it is seeking public comment on the Gramm-Leach-Bliley Act (“GLB”) Safeguards Rule. The GLB Safeguards Rule, which became effective in 2003, requires financial institutions to develop, implement and maintain a comprehensive information security program to safeguard customer information.

The FTC requests comments on several general questions pertaining to the GLB Safeguards Rule, such as:

  • Is there a continued need for specific provisions of the GLB Safeguards Rule?
  • What significant costs has the GLB Safeguards Rule imposed on consumers and how could it be modified to reduce those costs?
  • What benefits has the GLB Safeguards Rule provided to businesses and how could it be modified to increase those benefits?
  • What modifications to the GLB Safeguards Rule should there be to account for changes in technology or economic conditions?

The FTC also requests comments on several specific issues pertaining to the GLB Safeguards Rule. These include:

  • Should the elements of a comprehensive information security program include a response plan in the event of a breach? If so, what should such a plan contain?
  • Should the GLB Safeguards Rule be modified to include more specific and prescriptive requirements for information security programs?
  • Should the GLB Safeguards Rule be modified to reference or incorporate information security standards or frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standard?
  • Should the GLB Safeguards Rule include its own definitions of terms such as “financial institution”?
    • Should the term “financial institution” be expanded to include “entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities?”
    • Should that definition of “financial institution” also include “activities that have been found to be closely related to banking or incidental to financial activities by regulation or order in effect after the enactment of the [GLB Safeguards Rule]?”

The FTC has invited interested parties to comment on the GLB Safeguards Rule by November 7, 2016.

View the FTC’s Federal Register notice seeking public comment on the GLB Safeguards Rule.

FTC Releases OECD’s Recommendation on Consumer Protection in E-Commerce

On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”

The OECD, an international forum founded in 1961 by a host of nations including the U.S., adopted the Recommendation to address new developments in technology and e-commerce that did not exist or were not consumer protection concerns when the first iteration of its e-commerce guidelines were released in 1999.

The Recommendation aims to address several privacy and consumer protection concerns, including:

  • Increased Use of Plain Language Disclosures. The OECD recommends adoption of requirements for e-commerce sellers to use a single language to use simple terms in consumer agreements and notices, and to avoid overly complicated language that does not clearly describe the terms. In particular, OECD expresses concern about (1) adaptability for all different platforms, including mobile devices, and (2) digital content product disclosures that would clearly state limitations on functionality and interoperability.
  • Reducing Privacy and Security Risks. The OECD’s recommendations include added protection for consumer data. The last several years have seen a rise in “free” digital content exchanged for access to personal data, which is often resold. Furthermore, consumer data is central to much of the business transacted online. The Recommendation highlights these privacy concerns and calls on governments to offer consumer redress for breaches relating to information gathered by such free services.
  • Increased Payment Protection. The OECD recognizes that payment protection levels largely depend on the payment mechanism (including mobile payments) and the service provider. Thus, the OECD recommends that governments work with inter-industry stakeholders “to develop minimum levels of consumer protection across payment mechanisms.”
  • Expansion of Product Safety Recommendations. The Recommendation attempts to provide some uniformity by encouraging governments to extend their product safety regulations beyond brick-and-mortar retail to e-commerce products.

Consumer Financial Protection Bureau Imposes First Ever Data Security Fine

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.

In the consent order, the CFPB alleges that Dwolla mispresented that it “employ[ed] reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and that its network and transactions were “safe,” “secure” and compliant with the standards set forth by the PCI Security Standards Council. Specifically, the CFPB found that Dwolla failed to:

  • adopt and implement data security policies and procedures reasonable and appropriate for the organization;
  • use appropriate measures to identify reasonably foreseeable security risks;
  • ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • use encryption technologies to properly safeguard sensitive consumer information; and
  • practice secure software development, particularly with regard to consumer-facing applications developed on an affiliated website, Dwollalabs.com.

In addition to the $100,000 fine, Dwolla was ordered, for the next five years, to adopt and implement reasonable and appropriate data security measures to protect consumers’ personal information on its networks and applications, including:

  • implementing a comprehensive data security plan reasonably designed to protect the confidentiality, integrity and availability of sensitive consumer information;
  • conducting semiannual data security risk assessments;
  • conducting regular, mandatory employee training on (1) data security policies and procedures, (2) the safe handling of consumer’s sensitive personal information, and (3) secure software design, development and testing;
  • obtaining an annual data security audit from an independent, qualified third party, using procedures and standards generally accepted in the profession; and
  • implementing reasonable procedures for the selection and retention of service providers capable of maintaining security practices consistent with the consent order, and requiring service providers by contract to implement and maintain appropriate safeguards.

How to Safeguard Privacy and Data Security in Corporate Transactions

Personal information about consumers is the lifeblood of many organizations. Because of the potential value of the information, companies are increasingly focused on privacy and data security issues that arise in the context of mergers, acquisitions, divestitures and related transactions. In many corporate transactions, data is a critical asset that should be addressed as a key deal point. Unfortunately, too often personal data is transferred without consideration of the issues that otherwise might change the pricing of a deal – or kill it altogether. In a recent article published by Corporate Counsel, Hunton & Williams partner Lisa J. Sotto and associate Ryan P. Logan discuss the privacy and data security-related legal issues that arise in corporate transactions, and provide a how-to guide on addressing those issues during the various stages of a transaction.

Download a copy of the article.

China Enacts Administrative Measures for Online Payment Businesses

On December 28, 2015, the People’s Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People’s Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

The impact of the Measures will reach beyond the payment market itself to promote the development of the e-commerce and Internet finance sectors in China. The Measures will come into effect on July 1, 2016. Consistent with the 2010 Measures, the new Measures require NBPIs to take effective protective measures for the security of their clients’ personal information, and to adopt risk control systems. The Measures further restrict the storage of clients’ sensitive information, such as track information or chip information of their clients’ bank cards, their verification codes or passwords. In principle, NBPIs are not allowed to store the effective term of the bank cards, unless they are stored for special business needs or pursuant to authorization by the clients and the banks opening the bank cards. Further, this information must be encrypted prior to storage.

Under the Measures, NBPIs are required to collect, use, store and transfer clients’ information only to the minimum extent necessary, and to notify clients of the purpose and scope of their use of the information. The Measures restrict NBPIs from providing clients’ information to other institutions or individuals, unless otherwise required by laws and regulations, or unless the provision of each item was confirmed and authorized by the clients.

The Measures also impose responsibilities on the NBPIs to bind the merchants which are counterparties to their online payment services. NBPIs are required to sign agreements with the merchants, prohibiting the merchants from storing sensitive information of their clients, and to adopt supervisory measures, such as periodic checks and technical monitoring, as may be necessary. If the merchants store sensitive information in violation of the agreement, the NBPIs are required to promptly suspend or terminate their provision of online payment services for these merchants, and adopt effective measures to delete the sensitive information and to prevent disclosure of it. The NBPIs also may be liable for losses and liabilities caused by the disclosure of relevant information.

The Measures further require NBPIs to maintain online payment business processing systems that are safe and comply with normative specifications, and related backup systems, within the territory of China. When providing services for domestic transactions, NBPIs are required to complete the transactions using their domestic business processing systems, and to complete the financial settlement within the territory of China.

President Signs Law Providing Exception to Annual Privacy Notice Requirement under the Gramm-Leach-Bliley Act

On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. The FAST Act, which is aimed at improving the country’s surface transportation infrastructure, contains a provision that modifies the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).

Under the current GLBA Privacy Rule, financial institutions must mail an annual privacy notice to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing. The exception in the FAST Act states that a financial institution does not have to provide an annual privacy notice if it (1) only shares NPI with nonaffiliated third-parties in a manner that does not require an opt-out right be provided to customers (e.g., if the institution discloses NPI to a service provider or for fraud detection and prevention purposes) and (2) has not changed its policies and practices with respect to disclosing NPI since it last provided a privacy notice to its customers.

If a financial institution changes its practices and discloses NPI to nonaffiliated third-parties in a manner that requires it to offer an opt-out right to its customers, the financial institution would be required to send the revised privacy notice to its customers. For example, if a financial institution began to disclose NPI to nonaffiliated third-parties so that those parties could market to the financial institution’s customers, it would need to mail the privacy notice to its customers and only share the NPI after those customers have not exercised their rights to opt out of such sharing.

The FAST Act’s GLBA provision is expected to save financial institutions millions of dollars in postage and printing costs, and comes after the Consumer Financial Protection Bureau finalized a rule that enabled certain financial institutions to comply with GLBA notice requirements by publishing their financial privacy notices online instead of mailing them to their customers.

Blockchain, Cybersecurity and Global Finance

When novelist William Gibson said, “[t]he future is already here, it’s just not very evenly distributed,” he may have had innovation like blockchain technology in mind. In the near future, blockchain may become the new architecture of a reinvented global financial services infrastructure. The technology – a distributed, consensus-driven ledger that enables and records encrypted digital asset transfers without the need of a confirming third party – is revolutionary to global financial services, whose core functions include the trusted intermediary role (e.g., payment processor, broker, dealer, custodian).

Realizing this potential, global investment banks are beginning to develop public and private blockchain technology standards and protocols, with a goal of re-imagining their daily operations within the global financial system. While the possibilities for financial innovation – shared ledgers and smart contracts to name a few – are dizzying, it is important to remember one thing: the speed and extent of acceptance of blockchain technology within the global financial services community will ultimately depend on the security of the network. Earlier this year, Interpol reported that blockchain can be repurposed by hackers to export malware to all computers in the network. Interpol proved this by introducing a proof-of-concept malware that showed the viability of such a cyber-attack. In the event of an actual attack, blockchain’s virtues, such as decentralization and immutability, would instantly become vices, as the malware would spread far and wide and the pollution would not be easily erased.

The intermediary functions described above are currently critical actions within global financial services, particularly in relation to financial asset trading; however, these activities are increasingly expensive, inefficient and, most dangerous of all, risky. They are expensive because the information technology investment and maintenance costs are significant. They are inefficient because although trading is swift for many financial assets, settlement is not, with too much reliance on back office human agency and duplication of effort and systems. They are risky because settlement delay introduces counterparty risk, and data concentration on centralized servers introduces operational/systems risk. In short, they are increasingly capital-intensive activities in the post-Credit Crisis milieu, where despite muted trading revenue, the demands of regulators grow louder for more transparent reporting and real-time risk exposure recordkeeping.

What, then, is blockchain technology? It’s a decentralized ledger of digital asset ownership on which the asset owners, or users, can initiate transfer to other users whose interconnected computers run blockchain software (“nodes”). The transactions themselves are encrypted transfer data that, when confirmed (in batches, roughly every ten minutes), comprise the “blocks” and when linked sequentially to the referenced prior block, comprise the “chain.” Confirmation occurs when the first of these nodes, each of which maintains a current copy of the blockchain, verifies the transaction(s) by utilizing specialized computational software to solve a complicated encryption problem. Then, and only then, does this node add the new block sequentially into the chain, causing the other nodes to validate the solution and update their ledgers accordingly. This verification yields compensation (e.g., in bitcoins or other cryptocurrency) to the problem-solving node, a “miner”, for the processing power expended in first successfully confirming the transaction.

Blockchain is thus both a secure means of digitized asset transfer and a virtually incorruptible record of such transfer, confirmed by processing power consensus and protected by ledger distribution, from the original “genesis” block all the way through the current transaction. A technology that can automate trust in the transfer for value of digitized assets poses an existential threat to the financial institutions that choose to ignore it. However, blockchain offers an opportunity for collaboration and co-development – creative construction rather than destruction – for financial institutions and other market participants that choose to embrace it, for the technology is an elegant response to each of the challenges mentioned above. Distributed ledgers reduce cost and risk and, through secure consensus verification, increase data integrity. Third party disintermediation and the prospect for near real-time settlement increase efficiency.

Blockchain’s potential for disruptive innovation within the financial services industry and beyond is great. It will be greater still if network security remains foremost in mind.

SEC Announces Settlement Order and Publishes Investor Alert

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

The Order with R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) alleged that R.T. Jones violated Regulation S-P, the SEC’s version of the Gramm-Leach-Bliley Act’s Safeguards Rule, by storing sensitive personally identifiable information (“PII”) on its third party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” Their server was attacked in 2013, which resulted in the exposure of PII of more than 100,000 individuals. Pursuant to the Order, R.T. Jones agreed to pay a $75,000 penalty, appoint an information security manager to oversee data security, and adopt and implement a written information security policy. The firm also agreed to (1) no longer store PII on its webserver, (2) encrypt any PII stored on its internal network, (3) install a new firewall and logging system to prevent and detect future attacks, and (4) retain a cybersecurity firm to provide ongoing reports and advice on the firm’s information security.

In announcing the Order, Marshall S. Sprung, Co-Chief of the SEC Division of Enforcement’s Asset Management Unit, noted that companies “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The Alert, which was published by the SEC’s Office of Investor Education and Advocacy, contains practical advice for investors on what steps to take if their investment accounts have been the subject of a data breach. These steps include:

  •  contacting the investment firm and other financial institutions immediately;
  •  changing online account passwords;
  •  consider closing compromised accounts;
  •  activating two-step verification, if available;
  •  monitoring investment accounts for suspicious activity;
  •  placing a fraud alert on their credit file;
  •  monitoring credit reports;
  •  consider creating an Identity Theft Report; and
  •  documenting all communications related to the incident in writing.

View the Press Release, Order and Alert.

Indonesia Publishes Proposed Data Protection Rule

On July 14, 2015, pursuant to an implementation requirement of Government Regulation 82 of 2012, the Indonesian government published the Draft Regulation of the Minister of Communication and Information (RPM) of the Protection of Personal Data in Electronic Systems (“Proposed Regulation”). The Proposed Regulation addresses the protection of personal data collected by a variety of government agencies, enumerates the rights of those whose personal data is collected and the obligations of users of Information Communication Technology. Agencies to which the Proposed Regulation would apply include: the Directorate General of Immigration, which manages passport data; the Financial Services Authority, which regulates financial sector data; the Bank Indonesia, which regulates banking data; the Indonesian Consumers Foundation, which regulates protection of consumer data; the National Archives; and the Ministry of Health, which regulates health data and archives. The government provided a 10-day comment period for the proposal.

The Indonesian government also recently issued proposed guidelines for the registration of software to be used in “public services.” The guidelines carry out a mandate from Government Regulation No. 82 of 2012. The guidelines, as proposed, would require such software to be registered with the Ministry of Communications and Information Technology and meet certain requirements for security and reliability. One potential weakness of the guidelines is their failure to define “public services.” The government will accept public comments on this proposal through July 31.

FinCEN Announces First BSA Enforcement Action Against Virtual Currency Exchanger

On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.

Ripple Labs facilitated transfers of virtual currency and provided virtual currency exchange services. Ripple Labs maintained its own virtual currency, known as XRP, and was the second-largest cryptocurrency after Bitcoin at the beginning of 2015.

The enforcement action follows guidance issued by FinCEN in March 2013 clarifying that the BSA and implementing regulations applied to participants in the virtual currency arena and, more specifically, that “exchangers” and “administrators” of virtual currencies were required to register with FinCEN as “Money Service Businesses” (“MSB”). (See FIN-2013-G0001.) The BSA further requires MSBs to implement anti-money laundering (“AML”) programs, report suspected suspicious transactions over $2,000 and adopt certain “Know-Your-Customer” (“KYC”) procedures.

According to the Settlement Agreement, Ripple Labs operated as an MSB without registering with FinCEN and continued to engage in covered activity after the FinCEN guidance was issued in March 2013. Specifically, Ripple Labs failed to establish an appropriate AML program and failed to adopt adequate policies and procedures to comply with its obligations under the BSA. It was noted that the Ripple Labs subsidiary, XRP II, was registered with FinCEN, but nevertheless failed to adopt an effective AML program and failed to report suspicious transactions.

In an attached “Statement of Facts and Violations” Ripple Labs admitted to specific violations of the BSA. For example, in September 2013, its subsidiary, XRP II, negotiated a $250,000 transaction for the sale of virtual currency by email and agreed to dispense with its KYC requirements when the customer objected to providing information. In November 2013, XRP II rejected a $32,000 transaction because of concerns over the legitimacy of the overseas customer’s source of funds, but failed to file a suspicious activity report (SAR).

The settlement agreement with the USAO requires Ripple Labs to cooperate fully with an ongoing investigation of related criminal violations and offered no “protection from prosecution” to any individuals, to include present or former officers, directors and employees of Ripple Labs. In addition to the civil fine and forfeiture, Ripple Labs and XRP II agreed to engage in remedial steps to ensure future compliance with the BSA, to conduct a three-year “look back audit” for suspicious transactions and to retain external independent auditors to review BSA compliance biannually until 2020.

This action underscores the importance of responding to advisory guidance from FinCEN addressing the application of existing regulations and adapting compliance measures accordingly. Reference in the statement of facts to the previously issued FinCEN guidance demonstrates the government’s view that the advisories put institutions on notice of regulatory requirements. Failure to act following such clarification is evidence of “willfulness” as that term is used in civil enforcement of the BSA. A proactive response to evolving regulatory guidance should be viewed as an investment in risk management, and ultimately more cost effective than a subsequent enforcement action that could result in years of regulatory scrutiny. Banking institutions should take measures to ensure that BSA-covered account holders, subsidiaries and affiliates have the requisite compliance programs and licenses as part of KYC and ongoing due diligence.

View a copy of our client alert.

FTC Announces Settlements with Debt Brokers Who Posted Consumers’ Information Online

On April 13, 2015, the Federal Trade Commission announced that it has settled charges with two debt brokers who posted consumers’ unencrypted personal information on a public website. The settlements with Cornerstone and Company, LLC (“Cornerstone”), Bayview Solutions, LLC (“Bayview”), and the companies’ individual owners resulted from initial complaints about the debt brokers in 2014. Cornerstone and Bayview allegedly had posted the personal information of their debtors in unencrypted Excel spreadsheets on a publicly accessible website geared to buyers and sellers of consumer debt. The information included consumers’ names, addresses, credit card numbers, bank account numbers and debt amounts.

The FTC’s complaints against the debt collectors alleged numerous harms caused by the disclosure of the consumers’ sensitive personal information. In addition to harms associated with potential identity theft, invasion of privacy and loss of income, the complaints also alleged that consumers could be exposed to “other persons or entities attempting to collect the purported debt unlawfully even though those entities will not have purchased or acquired the authority to collect the debt.” As a result of the FTC’s complaints, a federal court ordered the debt brokers to notify affected consumers and forced the website that hosted the information to immediately remove the data.

In each Stipulated Final Order for Permanent Injunction, the companies and their respective owners are obligated to:

  • establish and implement comprehensive information security programs;
  • obtain initial and biennial assessments of their security programs from an independent third party;
  • retain records relevant to compliance with the FTC’s orders;
  • cooperate with the FTC in any investigations related to the transactions or occurrences that are the subject of the complaint;
  • distribute the orders to relevant officers, employees and others; and
  • submit compliance reports on a periodic basis or upon request by the FTC.

The settlements with Cornerstone and Bayview come two months after the FTC sent a letter to the Consumer Financial Protection Bureau that highlighted these cases among other FTC efforts in the debt collection arena.

FTC Highlights Debt Collection and Data Protection Issues in Letter to CFPB

On February 5, 2015, the Federal Trade Commission sent a letter to the Consumer Financial Protection Bureau (“CFPB”) summarizing the agency’s efforts in the debt collection arena in 2014. The letter is intended to assist the CFPB with preparing its annual report to Congress on the enforcement of the Fair Debt Collection Practices Act, which must be submitted pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act. The FTC’s debt collection program involves three initiatives: (1) law enforcement, (2) education and public outreach, and (3) research and policy.

The letter highlights that one of the FTC’s main focuses in 2014 was the security of consumer data in the buying and selling of debts. In the letter, the FTC summarizes its enforcement efforts involving consumer data integrity in the debt collection industry. In 2014, the FTC brought two separate cases against debt sellers that allegedly posted the sensitive personal information of over 70,000 consumers on a public website in connection with soliciting portfolios of past-due payday loan, credit card and other purported debt. Both cases have resulted in the issuance of preliminary injunctions requiring the defendants to remove the consumers’ information from the public website, adopt appropriate data security safeguards, and notify the affected consumers.

FinCEN Assesses Penalty Against Former MoneyGram Compliance Officer

On December 18, 2014, the Financial Crimes Enforcement Network (“FinCEN”) issued a $1 million civil penalty against Thomas E. Haider, the former Chief Compliance Officer of MoneyGram International, Inc. (“MoneyGram”). In a press release announcing the assessment, FinCEN alleged that during Haider’s oversight of compliance for MoneyGram, he failed to adequately respond to thousands of customer complaints regarding schemes that utilized MoneyGram to defraud consumers. In coordination with FinCEN, the U.S. Attorney’s office in the Southern District of New York filed a civil complaint on the same day, seeking a $1 million civil judgment against Haider to collect on the assessment and requesting injunctive relief barring him from participating in the affairs of any financial institution located or conducting business in the United States.

According to the complaint, Haider was the Chief Compliance Officer of MoneyGram from 2003 to 2008 and privy to complaints received by the company’s fraud department regarding numerous fraud schemes that allegedly utilized MoneyGram to induce transfers of funds from victims. The complaint outlines claims that Haider was personally responsible for MoneyGram’s failure to meet its legal obligations under the Bank Secrecy Act (“BSA”); namely, to implement and maintain an effective anti-money laundering (“AML”) compliance program, and to timely file Suspicious Activity Reports (“SARs”). The judgment sought is based on provisions of the BSA and implementing regulations that authorize a $25,000 per day penalty for willful failures to maintain AML compliance programs and file SARs.

The case against Haider follows a series of statements from FinCEN Director Jennifer Shasky Calvery and other regulators stressing individual accountability. The use of civil enforcement tools to hold compliance officers and senior management individually liable for BSA deficiencies is a noted enforcement trend that will likely continue in 2015.

New York Banking Regulator Announces New Cybersecurity Assessment Process

On December 10, 2014, the New York State Department of Financial Services (the “Department”) announced that it issued an industry guidance letter to all Department-regulated banking institutions that formally introduces the Department’s new cybersecurity preparedness assessment process. The letter announces the Department’s plans to expand its information technology examination procedures to increase focus on cybersecurity, which will become a regular, ongoing part of the Department’s bank examination process.

The guidance letter provides a list of topics that will be addressed in the Department’s cybersecurity examination process. The topics include:

  • Corporate governance issues related to cybersecurity;
  • Management of cybersecurity issues;
  • Resources devoted to information security and overall risk management;
  • The risks posed by shared infrastructure;
  • Protections against intrusion;
  • Information security testing and monitoring;
  • Incident detection and response processes;
  • Training of information of personnel;
  • Management of third party service providers;
  • Integration of information security into business continuity and disaster recovery policies and procedures; and
  • Cybersecurity insurance coverage and other third party protections.

The letter encourages all Department-regulated banks to view cybersecurity as an integral aspect of their overall risk management strategy. According to the Superintendent of Financial Services, Benjamin Lawsky, “[i]t is [the Department’s] hope that integrating a targeted cyber security assessment directly into [its] examination process will help encourage a laser-like focus on this issue by both banks and regulators…It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.”

The Department plans to schedule the cybersecurity examinations based on a comprehensive risk assessment of each New York State-chartered or licensed banking institution. In connection with this assessment, the Department will be sending a series of questions to banks requesting information on their current cybersecurity practices and management.

FFIEC Announces Plans to Update Cybersecurity Guidance in Wake of Cybersecurity Assessments

On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), on behalf of its members, released a report entitled FFIEC Cybersecurity Assessment General Observations (the “Report”) that contains observations from recent cybersecurity assessments conducted at over 500 community financial institutions as part of the FFIEC cybersecurity examination work program. The Report summarizes themes from the assessments and provides suggested questions for chief executive officers and boards of directors to ask when assessing their institutions’ cybersecurity preparedness. In light of the assessments, the FFIEC announced that its members will review and update current FFIEC cybersecurity guidance.

Based on the assessments, the FFIEC observed that the level of cybersecurity inherent risk varies significantly across financial institutions, in part due to the various types of network connections, products and services, and technologies used by financial institutions. The Report also contains observations on the overall cybersecurity preparedness of financial institutions, including findings on the current risk management, governance, threat intelligence, cybersecurity controls, incident response, and third party management practices of financial institutions.

Additionally, the FFIEC emphasized the importance of information sharing, noting that “[p]articipating in information sharing forums (e.g., Financial Services Information Sharing and Analysis Center) is an important element of a financial institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.” The FFIEC also recommended in a separate statement that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center as part of their process to identify, respond to, and mitigate cybersecurity threats and vulnerabilities.

CFPB Updates GLB Privacy Rule to Allow Online Privacy Notices

On October 20, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a finalized rule that enables certain financial institutions to comply with the Gramm-Leach-Bliley Act (“GLB”) by publishing their financial privacy notices online instead of mailing them to their customers. The GLB Privacy Rule requires financial institutions to provide privacy notices to their customers on an annual basis. The new disclosure method only applies to financial institutions regulated by the CFPB and does not impact those entities regulated by the Securities and Exchange Commission, Commodity Futures Trading Commission or Federal Trade Commission.

As we previously reported in May, the new rule only applies to financial institutions that meet certain conditions. For example, to qualify for the online delivery method, financial institutions must not share nonpublic personal information (“NPI”) with nonaffiliated third parties in a manner that requires an opt-out right be provided to customers. They also must use the model form regulators have developed to comply with the GLB Privacy Rule’s notice requirement.

The CFPB highlighted benefits of the new rule, which include:

  • Providing consumers with constant access to privacy policies;
  • Creating an incentive for financial institutions to limit their sharing of NPI;
  • Educating consumers using the easily understood model form; and
  • Reducing financial institutions’ compliance costs by an estimated $17 million annually.

In the press release announcing the new final rule, Richard Cordray, the Director of the CFPB, stated that “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”

The rule becomes effective once published in the Federal Register.

FTC Releases Staff Report Recommending Transparency Improvements for Mobile Shopping Apps

On August 1, 2014, the Federal Trade Commission released a new staff report examining the consumer protection implications of popular mobile device applications that provide shopping and in-store purchase services. The report, What’s the Deal? An FTC Study on Mobile Shopping Apps, details the findings from a recent FTC staff survey that studied consumer rights and data protection issues associated with some of the most popular mobile shopping apps on the market.

Building on the FTC’s March 2013 staff report on mobile payments, the survey examined 121 mobile shopping apps from the Google Play and Apple App Stores, focusing on the surveyed apps’ disclosures regarding their dispute resolution procedures, liability limits and consumer data practices. In general, the surveyed apps provide services for comparison shopping, collecting and redeeming discounts and coupons, and making in-store purchases with mobile devices. Based on the survey findings, the FTC staff concluded that these types of mobile shopping apps often fail to disclose information on issues that are important to consumers.  

In light of the survey findings, the report makes several recommendations to companies that offer mobile shopping apps, including:

  • “[C]ompanies should disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions.” The FTC staff found that, prior to download, many in-store purchase apps frequently fail to equip consumers with sufficient information about how the service manages disputes over contested purchases and their policies regarding the consumer’s potential liability for unauthorized transactions. The report recommends that companies clearly communicate this information to consumers prior to installation, especially for methods of payment that lack the legal protections afforded to credit or debit card transactions, such as certain types of purchases involving prepaid, gift card or stored value accounts.
  • “[C]ompanies should clearly describe how they collect, use and share consumer data.” The FTC staff found that a majority of the surveyed apps have privacy disclosures that use vague language, reserving broad rights to collect, use, and share consumers’ information. The report encourages mobile shopping apps to clearly describe how they collect, use, and share consumer data to provide consumers with more detailed explanations about how the apps handle their information.
  • “[C]ompanies should ensure that their strong data security promises translate into strong data security practices.” The FTC staff found that an overwhelming majority of the surveyed apps promise to implement data security safeguards to protect consumer information. Although the FTC staff did not test the apps to verify whether the security measures functioned as promised, the report nevertheless urges companies to honor their data security promises and to employ reasonable and appropriate safeguards in accordance with FTC enforcement actions and guidance materials.

The report also provides guidance to consumers, encouraging them to think twice about how they select and use mobile apps. Consumers are advised to consider downloading an alternative app or avoid making large purchases if information about the app’s dispute resolution procedures and liability limits is not available prior to download. Likewise, the report warns consumers to make sure they understand how their data will be collected, used, shared and secured prior to downloading a mobile shopping app.

FTC Issues Report on Data Broker Industry, Recommends Legislation

On May 27, 2014, the Federal Trade Commission announced the release of a new report entitled Data Brokers: A Call for Transparency and Accountability, detailing the findings of an FTC study of nine data brokers, representing a cross-section of the industry. The Report concludes that the data broker industry needs greater transparency and recommends that Congress consider enacting legislation that would make data brokers’ practices more visible and give consumers more control over the collection and sharing of their personal information.

The Report finds that data brokers collect consumer data from both online and offline sources, storing billions of data elements pertaining to almost every U.S. consumer. In addition, the Report indicates that data brokers share data with each other, and they combine and analyze consumer data to make inferences, including potentially sensitive inferences, about consumers. The Report also notes that, to the extent data brokers currently offer consumers choices about their personal information, consumers may not be aware of those choices.

The FTC recommends that Congress enact legislation to address the lack of visibility into data broker practices, and to provide consumers with increased access and control. In recent years, several bills have been introduced to address these issues, but no federal legislation on the topic has been enacted to date.

The FTC Report takes a different approach from the recent White House data report, “Big Data: Seizing Opportunities, Preserving Values,” which was issued earlier in May. Whereas the White House report discusses both the benefits of data collection as well as its privacy implications, the FTC Report focuses more on potential harms to consumers. The FTC calls for writing into law concepts that have been part of industry voluntary codes of conduct for years.

As we previously reported, in September 2013, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, sent letters to twelve popular health and personal finance websites as part of his investigation of the data broker industry. The letters asked the companies to answer questions about their data collection and sharing practices. As reported in Bloomberg BNA, Senator Rockefeller “concluded that the FTC report ‘echoes findings’ of his committee’s recent probe of the data broker industry.”

The FTC voted to approve the issuance of the report 4-0, with Commissioner Terrell McSweeny not participating. Commissioner Julie Brill issued a concurring statement.

CFPB Proposes New GLB Privacy Notice Rule

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a new proposed rule impacting privacy notices that financial institutions are required to issue under the Gramm-Leach-Bliley Act (“GLB”). Under the current GLB Privacy Rule, financial institutions must mail an annual privacy notice (the “GLB Privacy Notice”) to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing.

Under the proposed rule, certain financial institutions may forego the annual mailing requirement and instead include a brief disclosure in a billing statement or other communication that the GLB Privacy Notice is available online, then post that notice “in a clear and conspicuous manner” on the institution’s website. Financial institutions also must inform consumers that they may request a paper version of the GLB Privacy Notice by calling a toll-free number. To qualify for this online privacy notice option:

  • A financial institution must not share NPI with nonaffiliated third parties in a manner that requires an opt-out right be provided to customers;
  • The GLB Privacy Notice must not include an opt out pursuant to the Fair Credit Reporting Act;
  • The GLB Privacy Notice cannot be the only notice the financial institution provides to satisfy FCRA requirements;
  • The GLB Privacy Notice must not have changed since the last time it was provided to customers; and
  • The GLB Privacy Notice must use the model form regulators have developed to comply with the notice requirement.

If a financial institution does not meet all of the requirements listed above, it must continue to mail the GLB Privacy Notice annually to its customers. In announcing the proposed rule, CFPB Director Richard Cordray noted that the changes would both improve customers’ abilities to “find and access privacy policies” and reduce the costs “for industry to provide disclosures.”

People’s Bank of China Issues Administrative Measures for Credit Reference Agencies

On November 15, 2013, the People’s Bank of China (the “PBOC”) issued its Administrative Measures for Credit Reference Agencies (the “Measures”) – eight months after the Administrative Regulations on the Credit Information Collection Sector (the “Regulations”) became effective on March 15, 2013. The Measures, which will take effect on December 20, 2013, were formulated to enhance the supervision and regulation of credit reference agencies and to promote positive developments in the credit information services sector.

The Measures are intended to complement the Regulations, which established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies. The Measures provide more detail, by clarifying and specifying rules for the establishment of credit reference agencies that deal with the personal credit information of individuals (“personal credit reference agencies”). The Measures require a personal credit reference agency to first apply for pre-approval for a License for Personal Credit Reference Business from the PBOC before the agency may incorporate. In contrast, credit reference agencies that deal with enterprises’ credit information may be incorporated first, and then file with the relevant local PBOC counterpart. The Measures also require the personal credit reference agency to comply with a set of technical information security standards with respect to their credit reference business, and undergo regular assessments by a third-party institution that is qualified to assess information security safeguards.

Also pursuant to the Measures, a credit reference agency may be subject to enhanced surveillance by the PBOC (or its local counterpart) under certain circumstances, such as when the agency (1) is involved in a serious data breach incident, (2) shows signs of a possible data leakage, (3) is having major financial difficulties, (4) has been the subject of numerous complaints, or (5) has failed to comply with its reporting and appraisal obligations.

The implementation of these detailed rules for establishing and running personal credit reference agencies (and other compliance requirements) offer yet another example of increased attention to personal information protection issues by the Chinese government.

Read our previous coverage on Chinese personal information protection issues, including our post on the Supreme People’s Court of China passing of the Provisions on the Online Issuance of Judgment Documents by People’s Courts.

FTC Announces Seminars on Mobile Device Tracking, Predictive Scoring and Consumer-Generated Health Data

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

In 2011, Senator Chuck Schumer (D-NY) urged companies to obtain opt-in consent from consumers before engaging in mobile device tracking and asked the FTC to examine the issue. In March 2013, Senator Al Franken (D-MN) asked one tracking company to explain how it collects and uses data from consumers. The FTC’s seminar will address the potential benefits of mobile device tracking to consumers, whether mobile device tracking is anonymous, and how companies can implement privacy by design, including notifying consumers and allowing them to choose whether or not to be tracked.

The seminar on predictive scoring will focus on the uses of predictive scores, ranging from identity verification and fraud prevention to marketing and advertising. The panel will discuss questions such as the accuracy of the scores and the underlying data used to create them, the privacy concerns surrounding the use of the scores and what consumer protections should be provided.

The seminar on consumer-generated health data will examine the types of websites, products and services consumers are using to generate and control their health data, the actions companies are taking to protect consumers’ privacy and security and whether advertising networks impose restrictions on tracking health data.

The Mobile Device Tracking seminar will be held on February 19, 2014 and the Alternative Scoring Products seminar will be held on March 19, 2014. The date of the Consumer Generated and Controlled Health Data seminar has not been announced. The FTC has invited comment from the public on the proposed topics, and will issue staff reports following the sessions.