Category Archives: Financial Industry Spotlight

The Massachusetts State Police Commonwealth Fusion Center (CFC) believes that cyber actors may use the current bank failures for future phishing and business email compromise (BEC) attacks. Cyber actors often use current events to mask their phishing campaigns to seem more believable and relevant.  As everyone now knows, Silicon Valley Bank (SVB) became one of the largest banks to fail since the 2008 financial crisis. More recently, First Republic Bank also failed. … More

The Federal Trade Commission has finalized amendments to the Standards for Safeguarding Customer Information (“Safeguards Rule”), specific to defined financial institutions, designed to strengthen security for consumer financial information following a recent uptick in data breaches.

The amendments contain four main modifications to the existing Rule that outline additional protections financial institutions must implement when handling sensitive consumer data.

• First, the amendments provide financial institutions with additional guidance regarding developing and implementing an information security program,…

More

InfoTrax Systems, a Utah-based technology company, has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.  InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training,… More

As data breaches are seemingly reported on a daily basis, cybersecurity has emerged as a top enforcement priority for federal and state regulators and a key concern for companies of all sizes in a diverse range of industries. For example, compliance with federal cybersecurity regulations is required by nearly every government contract and the New York Division of Financial Services adopted a vast set of regulations that is applicable to all entities operating under NYDFS licensure.… More

Data breaches – always critically important to those with responsibility for storing, transporting and protecting electronic information – have become an all-consuming topic of late. Stories about data theft dominate political headlines, boardroom discussions, and family meetings around the dinner table.  They, of course, have also been the subject of government investigations and private litigation.

The current environment is not unlike other moments in our recent past that seemed to have captured the attention of Wall Street,… More

On January 10, 2019, Massachusetts Governor Charlie Baker signed a new law that amends its data breach reporting law, and requires credit reporting agencies such as Equifax to provide a free credit freeze to consumers.  The new law, “An Act Relative to Consumer Protection from Security Breaches,” also requires companies to offer up to three years of free credit monitoring to victims of a security breach,… More

Senator Mark Warner of Virginia has released a white paper outlining policy proposals for regulating social media and technology companies. The paper has gained significance in recent weeks as pressure builds on Congress to pass federal data privacy legislation. In the wake of Europe’s GDPR and California’s Consumer Privacy Act, industry groups, tech companies, and privacy activists alike have urged Congress to act.… More

On January 17, 2018, the Massachusetts Securities Division Enforcement Section filed a complaint against the company Caviar and its founder Kirill Bensonoff for violations of the Massachusetts Uniform Securities Act in connection with an ongoing initial coin offering (ICO).

This is Secretary of the Commonwealth William F. Galvin’s first enforcement action related to an ICO. Last month, Secretary Galvin announced that the Massachusetts Securities Division would conduct a sweep of Massachusetts entities engaged in ICOs.… More

Editors’ Note:  This is the eighth in a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year.  Previous installments include analyses of HIPAA compliance, emerging security threats, federal enforcement trends, state enforcement trends, … More

As most are aware, the Massachusetts Attorney General has won the race to the courthouse and been the first regulator to file suit against Equifax.

• The 28 page complaint is summed up on paragraph 4:Consumers do not choose to give their private information to Equifax, and they do not have any reasonable manner of preventing Equifax from collecting, processing, using, or disclosing it. Equifax largely controls how,…

More

Me and 143 million of my closest friends may have had our personal information inappropriately accessed through a breach at Equifax–is there no safe haven anywhere?  Deferring that question for another day, here are the instructions from the FTC on how to check if your data is implicated.  The first time I tried, I could not access the site:

I waited an hour and went back to the site. … More

With cyber security threats on the rise, broker dealers must prioritize protection of electronic investor information.  What cyber security threats exist for broker dealers?  In its 2015 Report on Cyber Security Practices, the Financial Industry Regulatory Authority (FINRA) identified a wide range of actors that may attempt to compromise a broker dealers’ electronic records and functions: (1) cybercriminals seeking to steal; (2) nation states; (3) terrorist groups;… More

The beginning of March, and a spell of unseasonably warm weather, graced the Northeast this week.  So too did New York’s first-in-the-nation cybersecurity regulations.  As we reported here in January, the initial launch of regulations was scuttled in response to industry concerns about scope and the inability to modify internal security measures by the established deadlines.  This resistance led New York’s Department of Financial Services (“DFS”) to slightly modify the regulations and delay implementation by one month.  … More

In late December, New York’s Financial Services Superintendent Maria T. Vullo announced that the New York’s Department of Financial Services’ (“DFS”) new cybersecurity regulations would not go into effect on January 1, 2017 as initially planned.  These “first-in-the-nation” cybersecurity regulations were designed to help protect consumers and the financial system from the increasingly serious threat of cyberattacks.  However, the regulations faced opposition from the financial services companies and insurers that would have been subject to them.… More

Editor’s note:  This is the sixth and last in our end-of-year series.  See our previous posts on trade secrets, state regulation and law enforcement, HIPAA compliance, emerging threats, and energy.  See you in 2017!

Fragmentation in U.S. data privacy and cybersecurity law is both peril and promise.  The peril?  Businesses must contend with uncertainty and the costs associated with pleasing many regulatory masters. … More

In Case You Missed It:  The SEC fined Morgan Stanley $1 million for a 2014 data breach.  While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion.  The  SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More

After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.

The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies.  For example:

• data controllers (companies collecting and using personal information) will have a wide range of new obligations,…

More

Tax season ‘tis the season to be phishing, according to the IRS.  The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year.  One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. … More

The content of the Privacy Shield was made public yesterday and today.

The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.

On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More

As noted in our earlier Foley Adviser, March 1, 2016 is the effective date for NFA member firms (including futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.

If you have any questions regarding implementation of these policies and procedures,… More

What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor.  We are working to get details and will schedule a webinar on the new framework shortly.

***

The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.

Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.… More

On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).

CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More

On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).

Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers,… More

As the Wall Street Journal noted yesterday, banks are being deluged with phishing attacks.  These attacks are especially fierce around the holiday season, when more personnel are absent and normal procedures are ignored or bypassed.  The FBI and other law enforcement agencies are focused on these attacks, but it only takes one employee to “believe” a phishing email for the trouble to start.… More

By Catherine M. Anderson and Kate Leonard

The CFTC recently approved the National Futures Association’s interpretive notice (the “Cybersecurity Notice”) on the general requirements that members should implement for their information systems security programs (“ISSPs”), which includes cybersecurity guidance and ongoing testing and training obligations.

The Cybersecurity Notice will be effective March 1, 2016 and applies to futures commissions merchants, commodity trading advisors,… More

A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age:  The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks.  At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More

What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology.  The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy:  whereas, generally speaking, in the EU data privacy standards are relatively uniform,… More

By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program.  The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S.… More

This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:

Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More

By Martha Coakley and Jon Hurst

This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.

Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The  impact on businesses, government, and other targets is also real,… More

In recent years, the SEC has been focused on cybersecurity. It has issued risk alerts, conducted examinations and provided guidance about what the agency sees as widespread weaknesses in many policies and procedures to protect against cyberthreats. The SEC has now taken the next step: a few days ago, the SEC brought its first-ever enforcement action for a violation of Regulation S-P, 17 C.F.R. § 248.30(a) – known as the “Safeguards Rule” – against an investment adviser that was itself the victim of a security breach in which hackers stole customer information.… More

From our colleagues Catherine Anderson and Lauren Tran, we present this update on OCIE’s 2015 Cybersecurity Examination Initiative:  Second Round of Cybersecurity Examinations to Begin

*   *   *

On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative.… More

A key distinguishing feature of U.S. data privacy laws is their patchwork nature.  There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive.  For data breach response, in addition to the possible application of an industry-specific law or regulation,… More

This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.

As the first and only international privacy standard for the cloud,… More

By Catherine M. Anderson and Robert G. Sawyer

On April 28, 2015, the SEC’s Division of Investment Management (the “Division”) issued a Guidance Update regarding the SEC’s initiative to assess cybersecurity preparedness and threats in the securities industry, further highlighting this as an important area of focus for the SEC in its compliance initiatives.

The full text of the Guidance Update is available here.… More

am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance.  My presentation is here:  2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation.  It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More

Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.

Here are five takeaways for companies large and small:

1. Companies are only as secure as their most vulnerable employee.…

More

The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama.  The purpose of the summit:  to “bring[] together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.”  These stakeholders, a number of public and private sector leaders,… More

Our colleagues Catherine M. Anderson and Kate Leonard of our Investment Management group have summarized the February 3, 2015 findings by the Office of Compliance Inspections and Examinations (OCIE) of its Cybersecurity Examination Sweep, which sought to evaluate the breadth of cybersecurity policies implemented by investment advisers (as well as by broker-dealers). For more details on the sweep, see our previous Foley Adviser update: SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers.… More

The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:

Rank
Password
Change from 2013

1
123456
No Change

2
password
No Change

3
12345
Up 17

4
12345678
Down 1

5
qwerty
Down 1

6
123456789
No Change

7
1234
Up 9

8
baseball
New

9
dragon
New

10
football
New

11
1234567
Down 4

12
monkey
Up 5

13
letmein
Up 1

14
abc123
Down 9

15
111111
Down 8

16
mustang
New

17
access
New

18
shadow
Unchanged

19
master
New

20
michael
New

21
superman
New

22
696969
New

23
123123
Down 12

24
batman
New

25
trustno1
Down 1

Sadly,… More

I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all

 Joni Mitchell, “Both Sides Now”

Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds,… More

To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).… More

Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.

The full text of the Risk Alert is available here.

SEC-registered investment advisers should review the Risk Alert,… More

I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed.  Talk to your IT folks about this sooner rather than later:

By Nicole Vincent Fleming

April 11, 2014 –… More

Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC).  On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants.  The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to how they are addressing those challenges. This roundtable follows hard on the heels of the Financial Industry Regulatory Authority (FINRA) sending targeted sweep letters in January-February 2014 to broker-dealers querying their approaches to managing cybersecurity risks.… More

Originally posted on July 30th, 2013 by Brian P. Bialas

            An interesting article by Jeffrey Spear that appeared in the New Hampshire Bar News in July shows that the federal district court in New Hampshire is struggling with the same question as the district court in Massachusetts: What is the proper interpretation of the Computer Fraud and Abuse Act (“CFAA”)? … More

In the following article from Massachusetts Lawyers Weekly (reprinted with permission), Brian Bialas comments on the latest Computer Fraud and Abuse Act case, and the resultant split in the District of Massachusett on how to interpret the CFAA: 

Ex-employees sued over computer use
Judge narrowly construes CFAA

By Eric T. Berkman

A technology company could not sue former employees for downloading proprietary information onto personal storage devices before they joined a competitor without showing that the employees had physically accessed the information through fraudulent or unlawful means,… More

The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.

 The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. … More

Feb 18, 2013
U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains
In 1st Circuit, ‘ball in employer’s court’

By Correy E. Stephenson More

The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.…

Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so.  The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers.  Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. … More

The FTC announced today that it has, at long last, modified its Red Flags Rule to match the language of theRed Flag Clarification Act of 2010.  As this blog explained in 2010:

As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C.… More

A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. As described by the court in its opinion:

Over seven days in May 2009,… More

A recent Harris Interactive survey of 2,625 adult Americans reveals some interesting attitudes towards employer confidential information, including significant variations depending on an employee’s age:

– 68% of 18-34 year olds responded that it is acceptable to remove confidential information from their place of employment. This contrasts with just half (50%) of those 55 years old or older believing such behavior is acceptable.

–… More

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.

This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act,… More

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one:

The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.… More

If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com.  I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information.  However, legislation may be coming that will address this concern.… More

I was interviewed for this PC World piece on the potential impact of Facebook’s recently announced IPO on data privacy.  My take:  being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies.  This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction. … More

Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:

by Catherine M. Anderson, Jeffrey D. Collins 

As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March 1,… More

A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.

Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws,… More

Interesting Wall Street Journal article about rival banks joining forces to beat cyber crime.   Sounds a lot like the Advanced Cyber Security Center. More

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:

Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,”… More

On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject. More

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures,… More

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link. More

hackers Anonymous “Lulz Security”

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:

The goal of NSTIC is to create an “Identity Ecosystem”… More

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies,… More

On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010.  The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.

As we have noted in past entries about Red Flags Rule compliance,… More

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:

1. This is an area where bipartisan concensus is possible.
2. The industry powers will fight against “Do Not Track” and will win that fight.
3. Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”

We could see passage of a federal data security and privacy statute,… More

Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which we posted on December 1.  We are cross-posting the analysis from their blog below.

It seems likely that the next two years will bring significant changes to this area,… More

A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months.  This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade’s version of Y2K.   It seems likely that  were are due for a long-term presence of privacy and security protection in our business and private lives. … More

Today, the Federal Trade Commission issued a press release and an Enforcement Policy extending the deadline for enforcement of the FTC’s Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ),… More

Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG’s Fort Lauderdale office to shred evidence of fraud. 

In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme. … More

On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server.

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC),… More

On Tuesday, May 5, 2009, in a press release devoted largely to the FTC’s congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement  of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums.  According to the FTC, the result of this alleged failure was that an intruder in the company’s systems sent "millions of outgoing spam emails"… More

On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC’s claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. This case provides a number of key lessons for businesses who have not considered whether their security practices amount to “unfair or deceptive acts or practices” under federal and state laws.

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers “[t]o allow the FTC to perform a greater and more effective role in protecting consumers.”

According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.”   [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.

ITRC considers “accidental exposure”… More

By Stacy Anderson and Gabriel M. Helmer.

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard,… More