Is the Smart Money Chasing Privacy and Security?

Posted on July 5, 2010 by Colin J. Zick

A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months.  This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade's version of Y2K.   It seems likely that  were are due for a long-term presence of privacy and security protection in our business and private lives.  While Y2K was a one-time event and and the huge amounts spent (waste?) on it left investors with a New Year's Day hangover, the digitization of commerce grows day by day, resulting in concomitant needs for information privacy and security, which may justify the faith of investors. 

Tags: , , , ,

ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Posted on May 28, 2010 by Gabriel M. Helmer

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

Tags: , , , , , , , , , , ,

Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act

Posted on April 22, 2010 by Gabriel M. Helmer

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC)

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

 

Tags: , , , , , , , , , , , , ,

Incident of the Week: Security Officer Indicted On Obstruction of Justice Charges For Shredding Evidence

Posted on September 18, 2009 by Gabriel M. Helmer

Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG's Fort Lauderdale office to shred evidence of fraud. 

In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme.  Prosecutors obtained a temporary restraining order (.pdf) that expressly prohibited any attempt to destroy documents (among a litany of other bad behavior).  In the indictment filed against Raffanello (.pdf), federal prosecutors allege that on the day SFG received the SEC's complaint and court order, Raffanello and another executive corresponded by email and planned to hire a commercial shredding service to pay a visit to SFG 's office so they could unload a 95 gallon container of evidence.

Apparently, during their hurry to destroy the evidence, they did not manage to delete the emails discussing their plan.  This reminds me of something a friend once told me: if you are setting out to bury the truth, remember to bury the shovel too.

Tags: , , , , , , ,

Incident of the Week: Goldman Sachs Programmer Arrested for Transfer of Top Secret Source Code for Goldman's Automated Trading System

Posted on July 9, 2009 by Gabriel M. Helmer

On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server. 

According to the criminal complaint and supporting affidavit (.pdf) filed in the federal court for the Southern District of New York, Aleynikov was part of the team that developed a high-speed, automated trading system for Goldman Sachs.  He resigned and left the company on June 5th, but federal prosecutors allege that in his last four days of work, Aleynikov encrypted and transferred 32 megabytes of source code relating to the automated trading system from Goldman's servers in New Jersey to a privately run document server in Germany.

Below we detail some of the evidence behind the arrest - evidence that demonstrates why adequate workplace monitoring and an appropriate response plan is key in protecting proprietary information.

Continue Reading...
Tags: , , , , ,

FTC and Other Agencies Issue Frequently Asked Questions (With Answers) on Red Flags Rules

Posted on June 15, 2009 by Jeff Bone

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

  • The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
     
  • Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
     
  • IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
     
  • The term "covered account" includes accounts established in the United States by non-U.S. residents;
     
  • Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
     
  • The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
     
  • Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
     
  • The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

 

Tags: , , , , ,

Cracking Down: FTC Settles Claims Against Mortgage Company For Violations of FTC Safeguards Rule - Requires Information Security Program and 10 Years of Security Audits

Posted on May 12, 2009 by Gabriel M. Helmer

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC's congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company's systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization."  In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company has agreed to implement an information security program and subject itself to biennial security audits for 10 years. 

In the FTC complaint (.pdf), federal regulators claimed, among other things, that the mortgage company "failed to provide reasonable and appropriate security for personal information," including by failing to implement a "comprehensive written information security program."  Such a program is a requirement for financial institutions, including lenders and mortgage companies, under the FTC Safeguard's Rule, a regulation promulated in 2002 to implement Section 501(b) of the Gramm Leach Bliley Act (GLBA).  The complaint also alleged that Jame B. Nutter & Company failed to provide customers adequate notice of its security practices, as required by the FTC Privacy Rule.  The Privacy Rule was promulgated in 2000 to implement Sections 501 through 509 of the GLBA. 

Notably, the complaint makes few allegations of damage to consumers.  The only alleged harm consisted of spam email and the possibility of unauthorized access to customer information.  No doubt this is the reason why the settlement did not involve a substantial fine, as the FTC sought, at least nominally, in its last enforcement action in this area (see our posting on the FTC's settlement with Rental Research Services).  The case thus suggests that the FTC may be willing to undertake enforcement efforts when only consumer privacy interests are affected, even in the absence of concrete financial harm. 

* Update: an attorney representing James B. Nutter & Company has contacted us to provide Security, Privacy and the Law with the company's press release on this incident (.pdf) and to clarify that the company is obligated to submit to only 5 biennial security audits over 10 years.

Links:

 

Tags: , , , , , , ,

Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop "Comprehensive Information Security Program"

Posted on April 17, 2009 by Gabriel M. Helmer

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users.  According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act.  RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029. 

Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers.  Below I will summarize the case and identify the key elements of the information security program that the FTC required.

Continue Reading...
Tags: , , , , , , , ,

FTC Asks Congress For Enhanced Rulemaking and Enforcement Powers To Curb Abuses in Financial Industry

Posted on March 24, 2009 by Gabriel M. Helmer

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

  1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
     
  2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.
Continue Reading...
Tags: , , , , , ,

Trends in Data Breach Incidents, Part 2: Avoiding Accidental Exposure

Posted on February 8, 2009 by Aaron Wright

According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.”   [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.

ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing software, LimeWire, on a computer that contained personal information relating to the company’s clients. Presumably, the employee installed the software because he wanted to download an MP3, a movie or some piece of software (in violation of copyright law). However, by failing to properly configure the software, the employee inadvertently opened up company files on the computer to any LimeWire user on the Internet. This turned out to be especially disastrous from a public relations standpoint: the data exposed included a number of powerful Washington D.C. area attorneys as well as Supreme Court Justice Stephen Breyer. The story was published on the front page of the Washington Post and received attention from other national papers, such as the L.A. Times. While the breach exposed data involving only a relatively modest number of people, 2,000 individuals, the fact that the lapse involved some high profile victims created substantial bad press. Referring to the file-sharing software, Wagner Resource Group founder Phylyp Wagner stated "I didn't even know what peer-to-peer was. I do now."

Because accidental exposures are caused by human error, a prime problem with this type of breach is that they generally make the company look much worse than a breach caused by a hacker or an ill-intentioned insider. A consumer can understand a company being outsmarted by a thief, even being compromised by a disgruntled ex-employee, but there is often much less forgiveness for companies who appear to have disclosed their information through sheer carelessness. (See the link for the Breach Blog’s candid response to the news that personal data may have been exposed by an employee of Vonage placing it online in a Google Notebook).

Protecting against accidental exposure usually does not require expensive solutions. An appropriate computer usage policy prohibits the installation of unauthorized software, like LimeWire and other peer-to-peer file sharing programs that have come under intense fire from the recording and motion picture companies in the last decade. Educating staff, whether through training programs or the occasional reminder, about what to do and what not to do may often be the least expensive solution to accidental exposure. In addition, system administrators need to make sure they are taking appropriate steps to block or monitor peer-to-peer network traffic originating from inside the company network. 

Links:

Tags: , , , , , , , ,

Isn't There Already A Federal Standard Governing Information Security? -- Re-Examining the Gramm-Leach Bliley Act

Posted on January 21, 2009 by Foley Hoag LLP

* By Stacy Anderson and Gabriel M. Helmer.

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.

Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information. 

In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.

In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.

Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.

Links:

Tags: , , , , , , ,