On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first and second posts on cybersecurity practice impacts.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA). Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Insider Threats If Your Program Only Focuses on External Threats, You are Only Halfway There

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.    Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication. Continue Reading FINRA Issues 2018 Report on Selected Cybersecurity Practices

The U.S. Treasury recently released a report identifying improvements that would support nonbank financial institutions but also embrace innovation and technology.  Among other things, the report recommends the creation of a national data breach notification standard and the development of effective national and international Fintech policies, including Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) efforts.

In addition to the aforementioned, the report outlines roughly 80 suggestions meant to:

• “Embrace the efficient and responsible use of consumer financial data and competitive technologies;
• Streamline the regulatory environment to foster innovation and avoid fragmentation;
• Modernize regulations for an array of financial products and activities; and
• Facilitate ‘regulatory sandboxes’ to promote innovation.”

A copy of the report can be found here.

This post originally appeared in our sister publication, Subject To Inquiry.

On May 21, the North American Securities Administrators Association (NASAA) announced a massive and coordinated series of enforcement actions by U.S. state and Canadian provincial regulators to combat fraudulent practices involving cryptocurrency-related investment products.

As cryptocurrencies have gained in popularity, companies have increasingly turned to a method known as an initial coin offering (ICO) to raise capital. ICOs, however, are ripe for potential fraud. As the Washington Post has explained, “consumers face higher risks of being misled at a time when the intense demand for bitcoin has prompted many retail investors to take extreme steps to gain exposure to the currency…”

Continue Reading State Regulators Announce Cryptocurrency Crackdown

The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.

Tax Return Data

As highlighted in January, the General Assembly this year continued its efforts to address the growing problem of criminals filing fraudulent tax returns using stolen identities of unsuspecting taxpayers. Last year, Virginia adopted legislation that requires employers and payroll service providers to provide breach notification to the Attorney General of Virginia when those entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).

This year, Virginia enacted legislation aimed at imposing certain obligations on state tax return preparers. Tax return preparers are not required to comply with Virginia’s data breach notification statute. However, effective July 1, 2018, Virginia tax return preparers are required to notify the Virginia Department of Taxation:

“without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information maintained by such signing income tax return preparer and that creates a reasonable belief that an [unprotected] version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” Acts of Assembly, Chapter 283

Additionally, if a breach occurs, the state tax return preparer is required to provide the Department information concerning the taxpayers whose information was accessed or obtained by unauthorized persons and certain information about the preparer.  It is estimated that the enactment of this legislation will save Virginia approximately $300,000 by avoiding the issuance of unrecoverable fraudulent refunds.

Other Privacy-Related Legislation

Additional bills related to privacy include (partial listing):

  • PASSED: Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1
  • PASSED: Reduction in the amount a credit reporting agency may charge a consumer to place a security freeze on his credit report from $10 to $5. 1027 SB16
  • DEFEATED: Eliminating the ability of a credit reporting agency to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB18; SB22; (partial listing)
  • DEFEATED: Prohibiting companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a users’ ability to access broadband internet access. The bill also would have limited a broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. SB948
  • DEFEATED: Limiting state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Proposed to prohibit internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill proposed to prohibit such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law-enforcement activities. SB949
  • DEFEATED: Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588
  • DEFEATED: Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted, of any crime (a.k.a. “ban-the-box”). SB252; HB1357
  • DEFEATED: Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240
  • DEFEATED: Allowing the use of drones by law-enforcement without obtaining a warrant under certain circumstances. HB1290
  • DEFEATED: Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law-enforcement officer except pursuant to a search warrant. HB604
  • DEFEATED: Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39

Virginia’s approach on privacy issues this past session reflects its approach on most issues – a measured response in response to actual problems. This approach is in contrast to some states enacting policies in anticipation of future issues or without a solid indication of potential harm to consumers. In the case of the security freeze legislation, the enacted bill was in response to a significant data breach last year involving one of the big three credit reporting agencies. With regard to protecting certain student directory information, the General Assembly acted in response to the perceived misuse of such information by political campaigns. Finally, the legislature continued its efforts to address the continuing problem of tax fraud by attempting to cut off avenues for would be identity thieves to file false state income tax returns.

The one-year transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expired on March 1, 2018. Financial services companies that are regulated by NYDFS now face additional requirements for assessing, monitoring, testing and reporting on the integrity and security of their information systems and the overall effectiveness of their cybersecurity programs.

Overview of New York Cybersecurity Regulations

The NYDFS cybersecurity regulations became effective on March 1, 2017, and the initial 180-day transitional period expired on August 28, 2017. The regulations that took effect last year require all covered entities to implement a cybersecurity program that identifies and protects against cybersecurity risks and adopt comprehensive policies and procedures for the protection of the company’s information systems and nonpublic information. The cybersecurity regulations apply to any organization operating under or required to operate under a NYDFS license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Click here for more information about the requirements of the regulations that took effect last year.

Additional Actions Required to Achieve Compliance

On March 1, 2018, additional requirements under the cybersecurity regulations took effect. In addition to the requirements that took effect last year, covered entities that are subject to the cybersecurity regulations must implement the following additional cybersecurity measures: Continue Reading New York Cybersecurity Regulations: Additional Testing and Reporting Requirements Take Effect

The Financial Industry Regulatory Authority (FINRA) is ramping up on their commitment to assist the industry in its cybersecurity compliance efforts. Recent guidance to the industry from FINRA includes:

  1. an Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (FINRA included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets); and
  2. the 2018 Regulatory and Examination Priorities, in which, notably, FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report.

FINRA called out cybersecurity, in its Examination Findings Report, as one of the “principal operational risks facing broker-dealers.” While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing “cutting-edge cybersecurity programs.”

FINRA detailed areas in which they observed in the examinations that firms’ cybersecurity programs were either effective or deficient. Reviewing the positives and negatives provides valuable information for firms looking to shore up their cybersecurity programs.

Examples of Effective Practices Include

  • Escalation Protocols: Have an escalation process that ensures appropriate level at the firm is apprised of issues to ensure attention and resolution.
  • Plans to Resolve Issues: Implement detailed resolution steps and time frames for completion.
  • Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests.
  • Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training.
  • Branch Office Reviews: Include cybersecurity focused branch exams to assess risks and identify issues.
  • Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools.

Examples of Deficient Practices Include: 

  • Failure to Follow Access Management Steps:
    • Not immediately terminating access of departing employees.
    • Failing to have processes to monitor or supervise “privileged users” to identify unusual activity (e.g., assigning extra access rights, unauthorized work outside business hours, or logging in from different geographical locations at or about the same time).
  • Infrequent or No Risk Assessments:
    • No formal risk assessment practices.
    • Unable to identify critical assets or potential risks.
  • Informal Processes for or Lack of Vendor Management:
    • Failed to have formal processes to assess vendor’s cybersecurity preparedness;
    • Failed to include required notification of breaches involving customer information in vendor contracts.
  • Noncompliant Branch Offices:
    • Failed to manage passwords.
    • Failed to implement security patches and software updates.
    • Failed to update anti-virus software.
    • Lacked control of employee use of removable storage devices.
    • Use of unencrypted data and devices.
    • Failed to report incidents.
  • Segregation of Duties:
    • Failed to segregate duties for requesting, implementing, and approving cyber-security rules and systems changes.
  • Data Loss Prevention:
    • Lack of rules to ensure all customer sensitive information is covered.
    • Permitted or failed to block large file transfers to outside or untrusted recipients.
    • Failed to implement formal change-management processes for data loss prevention systems changes.

FINRA’s 2018 Examination and Regulatory Priorities also include cybersecurity as a priority area. In addition to the areas noted above, which FINRA also calls out in the Priority Letter, FINRA noted two additional themes.  One, they will evaluate the effectiveness of firms’ cybersecurity programs in protecting sensitive information. Two, FINRA also reminds firms that they need policies and procedures to determine when a Suspicious Activity Report should be filed regarding a cybersecurity event. (See, FinCEN’s Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, Oct. 25, 2016.)

Conclusion

FINRA reminds firms that, while exam deficiencies must be addressed, firms often benefit from “proactively” remediating issues before the exam is completed. Acting proactively strengthens firms’ programs and enhances regulatory protections. Our observation, as outside counsel, is that when firms take proactive steps to get ahead of issues, it demonstrates to the regulators that the firm has a commitment to a strong compliance program and, in the right circumstances, may have a material impact on how FINRA decides to resolve an issue.

The information FINRA provides in the Examination Report and Priorities Letter provide roadmaps to enhancing overall compliance, supervisory, and risk management programs. With regard to the focus on cybersecurity, by using this resource, firms can effectively prepare for examinations and potentially prevent program gaps and avoiding cybersecurity incidents.

On October 18, 2017, the European Commission issued its report on the first annual review of the EU- U.S. Privacy Shield, aimed at allowing personal data transfer from the EU to the U.S. through the implementation of a data protection framework providing an adequate level of protection in the U.S. Over 2,400 companies have now been certified under the Privacy Shield framework by the U.S. Department of Commerce.

From the European Commission’s perspective, the Privacy Shield continues to ensure an adequate level of protection, including new redress possibilities for individuals, enforcement procedures, and cooperation with the European data protection authorities. However, as “[t]he Privacy Shield is not a document lying in a drawer” but “a living arrangement that both the EU and U.S. must actively monitor”, the Commission made some recommendations to improve the current framework:

“More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce.

More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.

Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.

Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).

To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).”

Is this review a sufficient guarantee for U.S. businesses to continue to rely on their Privacy Shield certification with absolute trust? That remains to be seen. Indeed, the Commission negotiated the Privacy Shield agreement to reconcile the data exchange economy with the standard that must be reached in order to comply with the requirements imposed by the EU Court of Justice (CJEU). The Commission was expected to advocate for the ongoing validity of the compromise. However, a number of authorities and data protection defenders are of the opposite opinion.

The European Data Protection Supervisor, one of the strongest official voices on data protection in the EU, already had some concerns about its validity (Opinion n° 4/2016 of May 30, 2016). So did the Working Party of Article 29, gathering all national data protection authority at the EU level (Opinion n° 1/2016 of April 13, 2016). These two authorities will soon issue their own reports on this first annual review. Furthermore, these reports could have some impact on the outcome of the two actions currently pending before the CJEU, which aim at invalidating the Privacy Shield’s adequacy decision on the following grounds:

  • The possibility for U.S. agencies to legally access, on a generalized basis, the content of electronic communications;
  • The absence of complete transposition of the right to access, rectify, oppose and erase, that the EU regulations grant to data subjects; and
  • The absence of a fully independent U.S. data protection authority, with complete effective and binding redress power.

U.S. entities certified with the Privacy Shield should closely monitor the development of those cases since, in the end, the CJEU will have the final say. It would also be prudent for them to take advantage of the opportunity to implement additional safeguards by using other data transfer mechanisms, such as Binding Corporate Rules, Certification (when available), adherence to approved Codes of Conduct or Standard Contractual Clauses.

For more information on the future of the Privacy Shield, please refer to the following Password Protected blog posts:

The Validity of EU-U.S. Personal Data Export Tools: A Pending Issue

Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

Criticisms over the Draft Adequacy Decision by the European Data Protection Supervisor: Final Lap for the Privacy Shield?

WP 29 Expresses Concerns About EU-U.S. Privacy Shield

EU-U.S. Privacy Shield: Better or Worse?

 

On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses rely on the consumer-authorized financial data market are scrambling to regain consumer trust.

Noting the “growing market” for consumer-authorized financial data aggregation services, the CFPB has promulgated nine principles which, in the words of CFPB Director Richard Cordray “express [the Bureau’s] vision for realizing an innovative market that gives consumers protection and value.” (See CFPB press release).

Many of the principles themselves will be familiar to anyone who has paid attention to consumer privacy discourse over the last 30+ years. They are in many ways a restatement of the OECD Guidelines, published in 1980 by the Organisation for Economic Co-operation and Development, but with a few useful additions. The “new” CFPB principles include time-tested privacy principles of:

  1. informed consent & control over data sharing;
  2. notice and transparency regarding the third parties’ access to and use of consumer data;
  3. data quality & accuracy and the right of consumers to dispute inaccuracies;
  4. an expectation of security and safeguards to protect consumer data;
  5. a right of access by consumers to their own data; and
  6. accountability to the consumer for complying with the foregoing principles.

In addition, however, the CFPB principles contain some fairly specific guidance that is particularly useful in the context of financial data and may have a significant impact on the way financial data is gathered, marketed and retained. For example, the CFPB Principles contain a specific principle (#4) regarding payment authorization:

  • Authorizing Payments. Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.

The above principle is one of several that illustrate the CFPB’s disapproval of broad, open-ended consents from consumers, favoring instead tailored, purpose-specific access. Principle #2 (Data Scope and Usability) is another example of this theme. It reads in part, “Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”

It remains to be seen how these principles might be applied to data collectors like credit bureaus, who typically hold consumer data for as long as a consumer’s lifetime in many cases. The CFPB’s press release emphasized that the principles are not intended to supercede or interpret any existing consumer protection statutes or regulations and that they are not binding. Still, they do provide a window into the CFPB’s mindset and the likely trend for future regulation.