On March 5, the Federal Trade Commission announced that it will soon publish notices in the Federal Register seeking comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The proposed changes seek to align the rules with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015.
Enacted in 2003, the Safeguards Rule requires a financial institution to develop, implement and maintain a comprehensive information security program. Enacted three years earlier in 2000, the Privacy Rule requires a financial institution to inform customers about its information-sharing practices and to afford opt-out rights to prevent information sharing with certain third parties. The FTC voted 3–2 to publish the proposed amendments to the Safeguards Rule, while the proposals relating to the Privacy Rule passed by a unanimous 5–0 vote.
The proposed changes to the Safeguards Rule seek to add more detailed requirements for the contents of a comprehensive information security program. For example, financial institutions would be required to encrypt all customer data, implement access controls to prevent unauthorized users from accessing customer information and use multifactor authentication access to customer data.
The enactment of the Dodd-Frank Act narrowed the scope of the Privacy Rule, transferring the majority of the FTC’s rulemaking authority to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority over certain motor vehicle dealers. The FTC has proposed to remove from the Privacy Rule examples of financial institutions that do not apply to motor vehicle dealers.
Copies of the notices and proposed changes may be viewed on the FTC’s website at www.ftc.gov. Comments must be received within sixty days after publication in the Federal Register and will be posted on Regulations.gov. We will monitor the comments and the course of the proposed regulatory amendments.
In February 2018, Medical University of South Carolina (“MUSC”) announced during a meeting with its board of trustees that 13 employees were terminated in 2017. The administrators of MUSC determined that these employees accessed patient records without permission. Such access without permission is considered “snooping.” Studies have found employee snooping is one of the biggest threats to HIPAA privacy. Snooping usually occurs when an employee views medical records of their friends, family, work colleagues or a celebrity without authorization because such employee is curious of why such person is there/what treatment they are receiving.
Such snooping is considered a breach under HIPAA. HIPAA provides three exceptions to the definition of ‘breach.” One exception applies when an employee of a covered entity unintentionally accesses or uses protected health information but such access or use is made in good faith and within the scope of authority. However, the Department of Health and Human Services, Office for Civil Rights (OCR) has provided that this exception does not apply to snooping employees because snooping is neither unintentional nor done in good faith.
In order to monitor snooping, MUSC has designated certain employees to monitor the news to identify any possible patients making the news. At times, some employees will snoop in a patient’s record after that patient is discussed in the news. Eleven of fifty-eight privacy breaches at MUSC in 2017 were categorized as snooping.
A MUSC spokeswoman also issued a statement regarding the terminations based on snooping and provided that “[s]ome breaches are simply a case of information being faxed to the wrong clinic location, whereas others can involve misplaced curiosity or malice” and “[t]ransparency is incredibly important, and necessary, to prevent and discourage future breaches…”
An impending cybersecurity regulation intended to protect consumer data in New York’s financial services industry threatened to reach numerous charitable organizations swept in through their use of a common fundraising (planned giving) method, the charitable gift annuity. The new cybersecurity strictures from the state’s Department of Financial Services (“DFS”) go into effect on March 1, 2017. New York’s nonprofit community faced onerous and costly compliance obligations, including specified risk-based cybersecurity programs, penetration testing and vulnerability assessments, mandated reporting of cybersecurity events, and encryption of specified “nonpublic information” in transit and at rest.
New York has billed its “first-in-the-nation” cybersecurity regulation as “designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.” The stated purpose of the rule is to “protect consumer data and financial systems from terrorist organizations and other criminal enterprises.” However, advocates for the state’s charitable community, including Nixon Peabody LLP, told DFS the regulation as drafted not only applied to the state’s intended targets - banks, insurance companies and other financial services entities - but also reached charities that had only a tangential connection to DFS through a section of the state’s Insurance Law.
Many charities, including colleges, universities, community foundations, religious institutions and health care providers, are subject to DFS’s regulation solely because they issue charitable gift annuities as part of their fundraising and development efforts. A charitable annuity allows a donor to make a charitable gift in exchange for a fixed annuity paid to the donor over his or her lifetime. Section 1110 of New York’s Insurance Law requires charitable entities exceeding a specified threshold of required reserved funds related to gift annuities ($1,000,000) to obtain a special permit from DFS to continue to issue gift annuities in the state. It was this permit from DFS that triggered application of the new cybersecurity regulation to New York’s nonprofit community.Charities that would have been subject to the cybersecurity rule solely through the special permit requirement urged DFS to exempt them, arguing they maintained only minimal personally identifiable information about donors for tax reporting purposes. In addition, they cited other cybersecurity mandates they followed associated with their respective industries that protected sensitive donor data, such as HIPAA and FERPA. The charities argued they were unfairly, and perhaps inadvertently, being covered by the new rule. Yesterday, DFS agreed, announcing a final cybersecurity regulation that included the requested exemption.
On January 9, Congressmen Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which seeks to update the Electronic Communications Privacy Act (ECPA) enacted in 1986. Under the ECPA, the government requires a probable cause warrant to access electronic communications stored on third-party service providers that are less than 180 days old or unopened. The government may obtain through a subpoena electronic communications that are opened or more than 180 days old. The Email Privacy Act would require all governmental agencies to obtain a warrant to search Americans’ online communications, regardless of when the e-mail was crafted. This legislation is the latest initiative among the many calls to update the ECPA.
The Email Privacy Act received bipartisan support last year and passed the House of Representatives in April 2016 by a 419–0 vote. The Senate, however, failed to act on the bill before the 114th Congress came to a close. In his press statement upon the legislation’s reintroduction last week, Congressman Yoder wrote: “Let’s give the Senate ample time to act, because more than 30 years has been long enough for Congress to wait on this. It’s simple, in 2017, if the federal government wants to access Americans’ digital content, it must get a warrant.”
The Email Privacy Act seeks to affirm that Americans have a reasonable expectation of privacy in their e-mail accounts and content stored online. The government will be expected to show probable cause to compel service providers to disclose any communications or their means of storage. The sponsors of the legislation stress that it still preserves the legal tools necessary to conduct criminal investigations and protect the public, and nothing in the bill alters the current warrant requirements under the Wiretap Act, Foreign Intelligence Surveillance Act or any other law.
We will monitor the Email Privacy Act in Congress this term and report back on any significant developments as it is considered for passage in both houses.
As we previously reported
, the New York Department of Financial Services (NYDFS) issued a cybersecurity regulation for regulated financial services companies effective on January 1, 2017. The proposed regulation met with significant opposition and concerns in comments submitted to NYDFS. Concerns included inconsistencies between federal and state requirements and the impact of a company’s size upon its ability to meet the cybersecurity requirements. In response, NYDFS recently announced that it would extend the compliance date to allow regulated companies additional time to understand and implement the requirements.
On December 28, Financial Services Superintendent Maria T. Vullo announced that NYDFS “has updated its proposed first-in-the-nation cybersecurity regulation to protect New York State from the ever-growing threat of cyberattacks.” The proposed regulation will take effect on March 1, 2017, which will require banks, insurance companies and other regulated financial services institutions to “establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”
NYDFS has stated that it carefully considered the comments expressed regarding the initially proposed regulation. It submits that it has incorporated the comments into the updated version of the regulation, which is now subject to an additional final 30-day comment period. NYDFS will focus its final review on any new comments that were not previously raised during the original comment period.
We will analyze and report on the updated cybersecurity regulation, which may be found here
On September 13, New York Governor Andrew Cuomo announced the state’s proposed cybersecurity rules applicable to banks, financial service firms and insurers. The New York Department of Financial Services (“NYDFS”) has issued for public comment Cybersecurity Requirements for Financial Services Companies
. As stated in the introduction to the regulation, regulatory action and proactive measures are necessary to combat the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The regulation “is designed to promote the protection of consumer information as well as the information technology systems of [entities regulated by NYDFS].”
Financial institutions will be required to establish a cybersecurity program performing the following five core functions: (1) identification of cyber risks, (2) implementation of policies and procedures to protect unauthorized access/use or other malicious events, (3) detection of cybersecurity events, (4) responsiveness to identify identified cybersecurity events, and (5) recovery from cybersecurity events and restoration of normal operations and services.
Also, the institutions must adopt a written cybersecurity policy to protect their information systems and non-public information. The policies must address an array of vital functions, including business continuity and disaster recovery, access controls and identity management, and physical security and environmental controls. The management and oversight of third-party service providers is another key component of the regulation’s broad scope and intended protections, which will require due diligence and periodic assessments of vendors and contractors.
Institutions must designate a Chief Information Security Officer with responsibility to oversee and implement the cybersecurity program and enforce cybersecurity policy. The CISO must report to the board, at least bi-annually, to (1) assess the confidentiality, integrity and availability of information systems; (2) detail exceptions to cybersecurity policies and procedures; (3) identify cyber risks; (4) assess the effectiveness of the cybersecurity program; (5) propose steps to remediate any identified inadequacies; and (6) summarize all material cyber events.
NYDFS surveyed approximately 200 regulated banking institutions and insurance companies to obtain insight into the industry’s efforts to prevent cybercrime. Additionally, it met with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third-party vendors. The proposed regulation is subject to a 45-day notice and public comment period before its final issuance.
In a letter dated August 29, six United States senators urged President Obama to prioritize cybersecurity risks facing financial firms during the upcoming G-20 Leaders summit in September. The senators noted that the discussions “merit attention not only in finance ministries and central banks, but also in executive leadership circles across the globe.” They warned that cyber attacks on financial institutions have accelerated risks to international finance and the global economy. The signatories—all of whom are Democrats—are Senator Gary Peters (MI), Kirsten Gillibrand (NY), Debbie Stabenow (MI), Martin Heinrich (NM), Sherrod Brown (OH) and Mark Warner (VA). The senators sent copies of the letter to Treasury Secretary Jack Lew and Federal Reserve Chair Janet Yellen.
The senators specifically referenced that, in February, hackers fraudulently utilized the Society for Worldwide Interbank Financial Telecommunication (SWIFT) international financial messaging service to steal $81 million from the Central Bank of Bangladesh. Subsequently, similar attacks took place at financial institutions in other nations. The senators suggested that international leaders must “take steps in the near term to erect more robust defenses and collaborative systems to prevent and mitigate the impact of successful attacks.”
The senators referenced that SWIFT has implemented financial measures to encourage its members to investigate their security protocols. They stressed that it is not only SWIFT’s responsibility to respond to the cyber threats, but responsibility must also belong to its stakeholders and their nations’ financial regulators. “In a connected international financial system, we are only as strong as our weakest link.” Global coordination will improve collaboration in and among international law enforcement and the financial regulatory sector, especially to pursue counter-terror financing and anti-money laundering agendas.
It will be interesting to watch how cybersecurity issues arise in our domestic elections this fall, as well as on the international stage, during the remaining months of the Obama administration and upon the start of our new presidential administration.
On August 18, the United States Department of Education (“Department”) issued a Dear Colleague Letter
addressing issues that arise when an educational institution participating in Title IV programs uses a third-party servicer. The DCL delineates a non-exhaustive list of commonly provided third-party services, such as managing and administering Title IV funds. The DCL stresses several important privacy considerations that should not be overlooked in educational institutions’ arrangements with third-party servicers.
Educational institutions must ensure that their third-party servicer contracts ensure the servicers’ compliance with all applicable laws. Institutions are subject to the information security requirements established by the Federal Trade Commission for financial institutions. Accordingly, institutions must take reasonable steps to select and retain service providers that are capable of maintaining information security safeguards and must require service providers by contract to implement appropriate security protocols. Also, the institution must require the third-party servicer to comply with the Family Educational Rights and Privacy Act (“FERPA”) regarding the receipt and use of provided education records.
FERPA allows educational institutions to disclose personally identifiable information (“PII”) from a student’s education record to a third-party servicer, without consent, with respect to financial aid for which the student has applied or which the student has received. Such disclosure of PII must be for the purposes of determining eligibility for the aid, determining the amount of the aid, determining the conditions of the aid or enforcing the terms and conditions of the aid. FERPA imposes recordation requirements as part of such sharing of information, including the parties who received the PII from the education records and the legitimate interests justifying the sharing of the information.
PII provided to a third-party servicer should be limited to only the extent necessary for the servicer to perform the Title IV function(s) or service(s) as part of the contractual relationship with the educational institution. Servicers are prohibited from using PII for any purpose other than the contracted services with the institution. The Department has the right to initiate an administrative action against the educational institution and/or its third-party servicer for any FERPA violation.
On August 29, the Federal Trade Commission (“FTC”) announced that it seeks public comment on the Standards for Safeguarding Customer Information (“Safeguards Rule”), as part of its systematic review of all FTC rules and guides. The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security program to handle customer information.
The FTC promulgated the Safeguards Rule pursuant to the Gramm-Leach-Bliley Act, which was enacted in 1999 to reform and modernize the banking industry. In 2000, the FTC issued a Privacy Rule under the Act to limit disclosure of non-public information. Three years later, the FTC promulgated the Safeguards Rule, applicable to all financial institutions.
The Safeguards Rule applies to financial institutions’ handling of customer information, defined as “any record containing nonpublic personal information . . . about a customer of a financial institution, whether in paper, electronic, or other form” that is “handled or maintained by or on behalf of” a financial institution or its affiliates. The Safeguards Rule does not apply to all consumer information; it applies to information of customers, which are consumers with a continuing relationship with a financial institution providing financial products or services used primarily for personal, family or household purposes. Also, the Safeguards Rule is not limited to a financial institution’s own customers, but extends to all customer information in the financial institution’s possession, including information about other financial institutions’ customers.
The required comprehensive information security program requires the identification of reasonably foreseeable internal and external risks. The program must be a continual process and designate employees to coordinate its effectiveness. The financial institution must also take reasonable steps to select and retain service providers who can appropriately safeguard customer information.
In its evaluation of the Safeguards Rule, the FTC seeks public comment on a series of questions, focusing on its benefits, costs and necessary modifications. Also, the FTC is evaluating whether specific measures should be prescribed as part of the required comprehensive information security program, including response plans and the incorporation of other standards such as those promulgated by the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards.
Comments may be filed online or on paper, which the FTC must receive by November 7. Comments will be made public on the FTC’s website, so commentators should pay careful attention to excluding any sensitive information or trade secrets. Information about the FTC’s request for comments and the process is available on the FTC’s website
On December 4, 2015, we reported on the preliminary approval granted in the Target data breach settlement. This past week, U.S. District Judge Paul A. Magnuson gave official approval to the deal. Target will pay $39.3 million to a group of financial institutions as a consequence of its massive 2013 data breach, where hackers gained access to Target’s network and the financial information of approximately 40 million customers. The settlement applies to all U.S. financial institutions that issued payment cards identified as at risk as a result of the breach and that have not previously released their claims through a separate deal with Visa Inc. and MasterCard Inc. Under the previously reached $67 million agreement with Target, nearly 75% of Visa issuers accepted settlement in exchange for full release of their claims.
Under the deal with the financial institutions, Target will pay up to $20.25 million directly to class members and $19.1 million to fund MasterCard’s Account Data Compromise program. Judge Magnuson approved attorneys’ fees of $17.8 million and expenses of $2.1 million. The judge cited to the complexity of the claims and the expense of further litigation as reasons for approving the settlement.
Forty-five financial institutions opted out of the settlement, controlling 1.6 percent of the affected accounts. However, of the 2,212 financial institutions with potentially affected members, 67 percent filed for the compensation from the settlement fund. This case is bound to impact further data breach litigation.
The case is In re: Target Corporation Customer Data Security Breach Litigation, U.S. District Court, District of Minnesota, No. 14-md-02522.