First identified in 2006, the financial services sector has been battling a form of cybercrime known as “corporate account takeovers,” in which cyber criminals target employees of businesses and cause the targeted individual to spread malicious software (or "malware") which in turn steals their online banking credentials. Armed with these credentials, the criminal is able to compromise the target’s financial account and electronically steal money from business accounts, often via unauthorized wire transfers and ACH payments.

Read More

The Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, recently released an alert to CEOs of all national banks, federal branches and agencies, and associated interested parties, calling for a heightened sense of awareness and offering risk mitigation information in response to a series of sophisticated DDoS attacks.

Read More

In Chavez v. Mercantil Commercebank, N.A., No. 11-15804 (11th Cir. Nov. 27, 2012), the Eleventh Circuit found that the parties did not have an agreed-upon security procedure so as to allow the bank to qualify for safe harbor under Article 4A of the Uniform Commercial Code, as enacted in Florida, and avoid liability for an allegedly fraudulent payment order.

Read More

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint in federal district court in Arizona against Wyndham Worldwide Corporation and three subsidiaries (“Wyndham”) alleging that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud.

Read More

In response to various political pressures, including a letter dated May 11, 2011, from Senator Jay Rockefeller (D-WV) and four other senators to SEC Chairman Mary Schapiro, the Staff of the Security and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance on October 13, 2011 regarding its views on disclosure obligations relating to cybersecurity risks and cyber incidents.

Read More

India has clarified the applicability of its recently released privacy rules, causing a collective sigh of relief for outsourcing suppliers and customers around the globe. As detailed in our prior client alert on the topic, India released a set of rules earlier this year that would have radically impacted the manner in which outsourcing suppliers and customers dealt with personal data collected and processed in India. Indeed, the rules were nearly as expansive as the EU Data Directive and would have had a similar fundamental and profound impact on data practices for virtually every outsourcing relationship in which services were provided from India. On August 24, 2011, however, the Ministry of Communications & Information Technology clarified that the rules relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to Rules 4 and 5, which included many of the more controversial aspects of the previous guidance. This type of clarification had been anticipated by much of the industry since mid July or so and has been uniformly well received.

India issues extensive Privacy Rules with potentially significant impact on Outsourcing Services

On April 11, 2011, India’s Central Government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). Although positioned as an effort to provide clarification to terms left undefined in the Information Technology Act, 2000, the Privacy Rules put in place a significant new data privacy regime covering collection, use, disclosure or transfer of personal information in India. The Privacy Rules also impose new security standards and security obligations on a company’s data-related operations in India, and require the implementation of a privacy policy. Information qualifying as “sensitive personal data or information” (e.g., passwords, financial information, and medical records) is subject to tighter regulation, requiring, among other things, the written consent of the data subject before such information can be collected. 

Read More

Two days ago, on July 21, President Obama signed into law H.R. 4173, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Act”). All types of financial institutions will be subject to significant new conditions and limitations under the statute; nonfinancial, publicly traded companies will be faced with new obligations as well. As is always the case with landmark legislation, the consequences on day-to-day operations will emerge over time, as regulators begin their analysis and commence necessary rulemaking.

This advisory reviews both the broad themes and many of the critical details of the Act. We have organized the discussion by title, but we review the provisions within each title thematically.

The advisory is provided in PDF on the Alston & Bird web site: http://www.alston.com/fisap_dodd_frank_reform_act_summary