0
American dollars and European Euros stacked on top of each other.

Cybersecurity Laws for the Fintech Industry

Cybersecurity, EU, Financial Services , , , , , , , , ,
In our modern digital landscape, the intersection of cybersecurity, finance and tech has become a focal point for regulators. With the rise of fintech, insurtech, personal financial management, alternative investments, and complex financial APIs, legal frameworks are evolving to keep pace.   Below are five notable cybersecurity legal updates within the financial sector, impacting financial institutions, fintech companies, and their service providers both domestically and abroad:  
  1. EU’s Digital Operational Resilience Act (DORA);
  2. SEC Amendments to Regulation S-P;
  3. FTC Standards for Safeguarding Consumer Information;
  4. Nacha’s Updates to Operating Rules; and
  5. CFPB’s Rulemaking on Personal Financial Data Rights.
 
  1. EU’s Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation that applies to financial entities and third parties that support them. DORA requires that applicable organizations must “follow rules for the protection, detection, containment, recovery and repair capabilities against [information and communication technology]-related incidents,” per the DORA website.   When Does it Take Effect? DORA entered into force on January 16, 2023, and will apply to each member state of the EU beginning January 17, 2025.   Who Does This Apply to? Financial Entities: Under DORA, financial entities are defined broadly to include banks, insurance providers, investment firms, payment institutions, credit institutions and credit rating agencies, and more.   ICT Third-Party Service Providers: DORA’s scope also includes Information Communication Technology (ICT) third-party service providers.  ICT third-party service providers are companies that provide digital and data services to financial entities. These providers include hardware providers as well as cloud computing services, software, data analytics services and providers of data center services. After identification, these providers are then be deemed critical or non-critical, with critical ICT service providers subject to additional requirements.   Key Takeaways DORA establishes uniform requirements regarding network security and information systems that support financial entities.   To establish this uniform framework, the Act requires:  
  • Managing risk of ICT resources. Financial entities are required to create and maintain an internal governance and control framework for the effective management of ICT risk.
 
  • Reporting on ICT-related incidents and major operational or security payment-related incidents. Financial entities are required to report major ICT-related incidents, and to voluntarily report cyber threats to competent authorities.
 
  • Digital operational resilience testing. Financial entities are required to establish, maintain and review a sound and comprehensive digital operational resilience testing program, including a range of assessments, tests, methodologies, practices and tools.
 
  • Contracting with ICT third-party service providers. Financial entities and ICT third-party service providers are required to clearly set out relevant rights and obligations in writing, including specific elements defined in the Act. Additionally, critical ICT-providers are subject to additional requirements.
 
  • Implementing measures for management of ICT third-party risk. Financial entities are required to adopt, and regularly review, a strategy on ICT third-party risk including a register of information related to the required contractual agreements between financial entities and ICT third-party service providers.
  Because the definition of “ICT third-party service providers” includes a range of entities that provide digital and data services, it is important that both financial entities and providers of ICT services are familiar with the requirements imposed by DORA.  
  1. SEC Amendments to Regulation S-P
Regulation S-P is a set of rules created by the Security and Exchange Commission (SEC). It requires certain parties to adopt written policies and procedures for the protection of customer records and information. The amendments to the Regulation are designed to address the expanded use of technology and associated risks that have emerged since the Regulation’s original adoption in 2000.   When Does it Take Effect? The SEC adopted the amendments to Regulation S-P on May 16, 2024, with an effective date of August 2, 2024. Larger entities will need to comply by December 3, 2025 while smaller entities will need to comply by June 1, 2026.   Who Does This Apply To? Regulation S-P applies to “covered institutions”, including broker-dealers, registered investment companies, as well as registered investment advisors (RIAs), funding portals, and transfer agents registered with the SEC or another appropriate regulatory agency.   Key Takeaways: The amendments to Regulation S-P modernize the rules regarding the treatment of consumers’ nonpublic personal information by imposing privacy-related protections.   Among other things, the amended Regulation requires:  
  • Adopting an incident response program. Covered institutions must adopt written policies and procedures for incident response programs to handle unauthorized access of information. This policy should be reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.
 
  • Updating consumer notification protocols. As part of the required incident response programs, covered institutions are required to notify consumers whose sensitive information was or is reasonably likely to have been accessed or used without authorization. This notice must be as soon as reasonably practicable, but no later than 30 days after the Covered Institution has become aware of the unauthorized access.
 
  • Providing oversight of service providers. Covered institutions are required to establish, maintain and enforce written policies that are reasonably designed to require oversight – including through monitoring of service providers to ensure that any individuals impacted by breach of sensitive information receive any required notices.
 
  • Expanding the scope of the Regulation. The amended Regulation aligns more closely to the FTC’s Safeguards Rule. Both rules apply to “customer information,” defined as “any record containing nonpublic personal information” about a customer of a financial institution. Additionally, the amendments broaden the group of customers whose information is protected under this Regulation.
 
  • Updating recordkeeping and annual privacy notices. The amended Regulation will add requirements to certain covered institutions to maintain written documentation of compliance. Additionally, certain covered institutions must provide a clear and conspicuous privacy notice at least annually during the customer relationship.
   
  1. FTC Standards for Safeguarding Consumer Information
The Federal Trade Commission’s (FTC’s) Standards for Safeguarding Consumer Information (the Safeguards Rule) is a set of regulations that requires certain financial institutions to protect consumer information.   When Does it Take Effect? In October 2023, the FTC announced the revised provisions of the Safeguards Rule, and the Rule took effect on May 13, 2024.   Who Does This Apply To? The Safeguards Rule applies to “financial institutions” that are covered by the FTC’s jurisdiction. This includes mortgage and payday lenders, finance companies, mortgage brokers, account services, check cashers, and investment advisors that are not required to register with the FTC, among others. This rule does not apply to those financial institutions subject to the authority of another regulator under §505 of the Gramm-Leach-Bliley Act.   Additionally, there are exemptions to this rule, including financial institutions that maintain consumer information concerning fewer than 5,000 consumers.   Key Takeaways The Safeguards Rule requires financial institutions to develop and maintain an information security program to protect consumer information. The amendments to the Safeguards Rule require entities to report data and security breaches affecting 500 people or more.   Among other things, the Safeguards Rule requires:  
  • Implementation of a security program. Financial institutions are required to develop, implement, and maintain a comprehensive security program. This program should be appropriate to the size, complexity, nature and scope of activities, and sensitivity of consumer information. The FTC Safeguards Rule also imposes minimum security controls on financial institutions, including but not limited to secure development, encryption and MFA.
 
  • Notifying the FTC. The amendment requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving at least 500 consumers.
 
  1. Nacha’s Updates to Operating Rules
The National Automated Clearing House Association (Nacha) Operating Rules govern how the Automated Clearing House (ACH) Network functions. The Nacha Rules cover all ACH payments, providing guidelines for securely storing, accessing, and transmitting sensitive customer information.   When Does it Take Effect? The changes to the Nacha Operating Rules became effective on October 1, 2024.   Who Does This Apply To? The Nacha Operating Rules apply to entities that collect and store non-public sensitive information in ACH transactions, including bank account and routing numbers, social security numbers, and driver’s license numbers, among other information.   Key Takeaways In 2024, the Nacha Operating Rules underwent amendments as part of a larger risk management package. These amendments are intended to reduce fraud and improve the recovery funds after fraud has occurred.   Among other things, the amendments to the Rules include:  
  • Allowing financial institutions to return entries via R17. A receiving depository financial institution (RDFI) may, but is not required, to use return code R17 to return an entry it believes is fraudulent. This amendment defines the return code for this use and is designed improve the recovery of funds that originated from fraud.
 
  • Expanding the uses of Request for Return. An originating depository financial entity (ODFI) may request a return from the RDFI for any reason. Under this amendment, the ODFI would still indemnify the RDFI for compliance with the request, and compliance by the RDFI remains optional.
 
  • Creating additional funds availability exceptions. This amendment provides RDFIs with an additional exception from the existing funds availability requirements, including credit entries that the RDFI suspects are fraudulent. This rule is intended to improve the recovery of funds obtained by fraud.
 
  • Modifying the timing of Written Statement of Unauthorized Debit (WSUD). While the rule previously allowed that a WSUD could be date on or after the Settlement Date of Entry, this amendment will allow a WSUD to be signed and dated by the receiver on or after the date on which the entry is presented to the receiver – even if the debit has not yet been posted to the account.
 
  • Requiring RDFI to return unauthorized debit. When returning a consumer debit as unauthorized, the RDFI must make the return by the sixth banking day following the completion of its review of the consumer’s signed WSUD. This prompt return will is intended to alert the ODFI of potential issues, and is intended to improve the recovery of funds and occurrence of future fraud.
   
  1. CFPB’s Rulemaking on Personal Financial Data Rights
The Consumer Financial Protection Bureau (CFPB) issued a final Rule to carry out the personal financial rights established by the Consumer Financial Protection Act of 2010 (CFPA).  This Rule allows consumers to access account data controlled by certain providers of consumer financial products in a safe, secure manner.   When Does it Take Effect? The data providers covered under this Rule must comply with the requirements in phases: the largest institutions will have to comply by April 1, 2026, while the smallest institutions must comply by April 1, 2030.   Who Does This Rule Apply To? Under this Rule, a “data provider” is required to make the covered data available, in electronic form, to consumers and certain authorized third parties.   A “data provider” includes depository institutions, such as credit unions, and non-depository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. However, the rule does not apply to certain small depository institutions.   Key Takeaways This Rule enables consumers and authorized third parties to access consumer account information. This enables account holders to make more informed and freely made decisions regarding their providers.   Among other things, the Rule requires:  
  • Disclosing certain information. Data providers must provide certain data – including information about transactions, costs, charges, and usage – available to consumers and authorized third parties upon request.
 
  • Adhering to disclosure requirements. Disclosures must be made in a standardized and machine-readable format and in a commercially reasonable manner, among other disclosure requirements.
 
  • Banning “screen scraping” by third parties. A data provider cannot comply with the requirement to make certain data available to third parties by allowing the third party to use “screen scraping” – an access method using consumer credentials to log in to the consumer account to retrieve data.
Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

Cybersecurity , , , ,

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Image Credit: Gerd Altmann from Pixabay1

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Read More
Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Privacy Law , , , , ,

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

Read More
Image of gears directing arrows to shield.

The 2019 Capital One Breach Compared to the 2017 Equifax Breach: Evolving and Improving Attitudes toward Data Security, Breach Detection, and Breach Notification

Bank And Financial, Cybersecurity, Data Breach , , , , , ,

Image Credit: Khanittha Yajampa via Dreamstime.com

On September 7, 2017, Equifax announced that it had suffered a data breach that exposed the personal data of nearly 147 million people. Two years following the Equifax breach, Capital One also suffered a data breach nearly as massive in scope, affecting approximately 100 million users in the United States and 6 million users in Canada.

A casual observer might think that the two breaches are similar. After all, they both affected a large financial institution and encompassed over a million financial records. The similarities end there, however. Capital One implemented security measures to protect its customer data and engaged in a speedy response to an insider threat. Equifax failed to implement even basic data protection measures and was laggardly in reporting the inevitable breach.

Only time will tell what the full repercussions will be of these two breaches. But based on the facts in front of us, Capital One’s quick response to this breach will ultimately protect more customers in the long run. Comparing the circumstances surrounding the two breaches show a positive trend toward companies taking their customers’ data more seriously and mindfulness of ever-increasing consumer vigilance about their own data.

Read More
Federal Trade Commission logo

The FTC Ramps Up Privacy Enforcement

Federal Trade Commission, FTC Privacy Enforcement - Antitrust, Privacy Law , , , ,

Following increased congressional scrutiny over its data privacy enforcement practices in 2018, the FTC has ramped up its enforcement actions in recent months, giving some real bite to current federal privacy laws:

  • On February 27, 2019 the FTC filed a complaint against the operators of lip-syncing app Musical.ly—now known as TikTok – for failing to seek parental consent before collecting the personal information of users under the age of 13. In response to the FTC’s complaint, TikTok agreed to pay a $5.7 million settlement to the agency, marking the largest-ever COPPA fine in US history.
  • Throughout March, the FTC obtained settlements against 4 separate robocall operations: NetDotSolutions, Higher Goals Marketing, Veterans of America, and Pointbreak Media. These cases charged these separate entities for violations of the FTC Act (unfair and deceptive trade practices) and the agency’s Telemarketing Sales Rule (TSR) – including its Do Not Call (DNC) provisions.
  • On March 26, 2019 the FTC announced a broad inquiry into the data collection practices of broadband companies under Section (b) of the FTC Act. The agency issued orders to AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless, seeking information about the collection, retention, and sharing of personal information. The FTC investigation highlights recent consumer concerns about data privacy and tracking by ISPs, following high-level acquisitions of content providers like AOL, Yahoo, and DirectTV. We are watching closely, as this may be the start of one of the first joint privacy-antitrust enforcement actions by the FTC.

These enforcement actions highlight the FTC’s role as the de facto data protection authority for the United States. Yet, the FTC’s mandate extends far beyond data privacy, and includes regulatory authority over false advertising claims, anticompetitive behavior, and merger review. While Congress continues to debate the passage of a federal bipartisan privacy bill, it behooves them to keep in mind the current staff and funding limitations of the FTC in any proposed drafts.