In Case You Missed It: The SEC fined Morgan Stanley $1 million for a 2014 data breach. While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion. The SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More
Category Archives: Financial Industry Spotlight
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
- data controllers (companies collecting and using personal information) will have a wide range of new obligations,…
Tax season ‘tis the season to be phishing, according to the IRS. The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year. One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. … More
The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.
On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More
Reminder: March 1, 2016 Effective Date for Information Systems Security Programs Including Cybersecurity for NFA Members
As noted in our earlier Foley Adviser, March 1, 2016 is the effective date for NFA member firms (including futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
If you have any questions regarding implementation of these policies and procedures,… More
EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield
What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor. We are working to get details and will schedule a webinar on the new framework shortly.
The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More
Amendment to the Annual Privacy Notice Delivery Obligations of Financial Institutions under the Gramm-Leach-Bliley Act contained in the FAST Act
On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).
Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers,… More
As the Wall Street Journal noted yesterday, banks are being deluged with phishing attacks. These attacks are especially fierce around the holiday season, when more personnel are absent and normal procedures are ignored or bypassed. The FBI and other law enforcement agencies are focused on these attacks, but it only takes one employee to “believe” a phishing email for the trouble to start.… More
CFTC Approves NFA Interpretive Notice on Information Systems Security Programs, Including Cybersecurity Guidance
The CFTC recently approved the National Futures Association’s interpretive notice (the “Cybersecurity Notice”) on the general requirements that members should implement for their information systems security programs (“ISSPs”), which includes cybersecurity guidance and ongoing testing and training obligations.
The Cybersecurity Notice will be effective March 1, 2016 and applies to futures commissions merchants, commodity trading advisors,… More
Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More
The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform,… More
By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program. The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S.… More
This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:
Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More
By Martha Coakley and Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real,… More
The SEC Charges Investment Adviser with Violating Regulation S-P by Failing to Adopt Cybersecurity Policies and Procedures
In recent years, the SEC has been focused on cybersecurity. It has issued risk alerts, conducted examinations and provided guidance about what the agency sees as widespread weaknesses in many policies and procedures to protect against cyberthreats. The SEC has now taken the next step: a few days ago, the SEC brought its first-ever enforcement action for a violation of Regulation S-P, 17 C.F.R. § 248.30(a) – known as the “Safeguards Rule” – against an investment adviser that was itself the victim of a security breach in which hackers stole customer information.… More
SEC Issues Risk Alert Announcing Second Round of Examinations of Registered Investment Advisers and Broker-Dealers
* * *
On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative.… More
A key distinguishing feature of U.S. data privacy laws is their patchwork nature. There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive. For data breach response, in addition to the possible application of an industry-specific law or regulation,… More
This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.
As the first and only international privacy standard for the cloud,… More
On April 28, 2015, the SEC’s Division of Investment Management (the “Division”) issued a Guidance Update regarding the SEC’s initiative to assess cybersecurity preparedness and threats in the securities industry, further highlighting this as an important area of focus for the SEC in its compliance initiatives.
am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance. My presentation is here: 2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation. It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
- Companies are only as secure as their most vulnerable employee.…
The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama. The purpose of the summit: to “bring together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.” These stakeholders, a number of public and private sector leaders,… More
SEC Office of Compliance Inspections and Examinations Releases Cybersecurity Examination Sweep Summary of Investment Advisers and Broker-Dealers
Our colleagues Catherine M. Anderson and Kate Leonard of our Investment Management group have summarized the February 3, 2015 findings by the Office of Compliance Inspections and Examinations (OCIE) of its Cybersecurity Examination Sweep, which sought to evaluate the breadth of cybersecurity policies implemented by investment advisers (as well as by broker-dealers). For more details on the sweep, see our previous Foley Adviser update: SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers.… More
The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:
Change from 2013
I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds,… More
To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).… More
Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.
The full text of the Risk Alert is available here.
SEC-registered investment advisers should review the Risk Alert,… More
I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed. Talk to your IT folks about this sooner rather than later:
By Nicole Vincent Fleming
April 11, 2014 –… More
Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC). On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants. The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to how they are addressing those challenges. This roundtable follows hard on the heels of the Financial Industry Regulatory Authority (FINRA) sending targeted sweep letters in January-February 2014 to broker-dealers querying their approaches to managing cybersecurity risks.… More
An interesting article by Jeffrey Spear that appeared in the New Hampshire Bar News in July shows that the federal district court in New Hampshire is struggling with the same question as the district court in Massachusetts: What is the proper interpretation of the Computer Fraud and Abuse Act (“CFAA”)? … More
In the following article from Massachusetts Lawyers Weekly (reprinted with permission), Brian Bialas comments on the latest Computer Fraud and Abuse Act case, and the resultant split in the District of Massachusett on how to interpret the CFAA:
Ex-employees sued over computer use
Judge narrowly construes CFAA
By Eric T. Berkman
A technology company could not sue former employees for downloading proprietary information onto personal storage devices before they joined a competitor without showing that the employees had physically accessed the information through fraudulent or unlawful means,… More
The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.
The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. … More
Feb 18, 2013
U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains
In 1st Circuit, ‘ball in employer’s court’
By Correy E. Stephenson More
The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.…
PCI-DSS Update: The Payment Card Industry Security Standards Council Issues Guidelines for Security Risk Assessments, Cloud Computing, and Accepting Payments on Mobile Devices
Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so. The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers. Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. … More
As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C.… More
A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. As described by the court in its opinion:
Over seven days in May 2009,… More
A recent Harris Interactive survey of 2,625 adult Americans reveals some interesting attitudes towards employer confidential information, including significant variations depending on an employee’s age:
– 68% of 18-34 year olds responded that it is acceptable to remove confidential information from their place of employment. This contrasts with just half (50%) of those 55 years old or older believing such behavior is acceptable.
The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.
This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act,… More
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one:
The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.… More
If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com. I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information. However, legislation may be coming that will address this concern.… More
I was interviewed for this PC World piece on the potential impact of Facebook’s recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction. … More
Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,”… More
On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject. More
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures,… More
hackers Anonymous “Lulz Security”
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem”… More
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies,… More
On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010. The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
- This is an area where bipartisan concensus is possible.
- The industry powers will fight against “Do Not Track” and will win that fight.
- Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute,… More
FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies
Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area,… More
A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months. This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade’s version of Y2K. It seems likely that were are due for a long-term presence of privacy and security protection in our business and private lives. … More
Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.
Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act
Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations. The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ),… More
Incident of the Week: Security Officer Indicted On Obstruction of Justice Charges For Shredding Evidence
Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG’s Fort Lauderdale office to shred evidence of fraud.
In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme. … More
Incident of the Week: Goldman Sachs Programmer Arrested for Transfer of Top Secret Source Code for Goldman’s Automated Trading System
On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server.
On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft. The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC),… More
Cracking Down: FTC Settles Claims Against Mortgage Company For Violations of FTC Safeguards Rule – Requires Information Security Program and 10 Years of Security Audits
On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums. According to the FTC, the result of this alleged failure was that an intruder in the company’s systems sent "millions of outgoing spam emails"… More
Cracking Down: FTC Fines Credit Research Firm $500,000 For Lax Security, Obtains Court Order Requiring Company to Develop “Comprehensive Information Security Program”
On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.
FTC Asks Congress For Enhanced Rulemaking and Enforcement Powers To Curb Abuses in Financial Industry
On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”
According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.” [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.
ITRC considers “accidental exposure”… More
Isn’t There Already A Federal Standard Governing Information Security? — Re-Examining the Gramm-Leach Bliley Act
By Stacy Anderson and Gabriel M. Helmer.
As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard,… More