RSS Print Email

Financial Privacy

PCI Security Standards Council Publishes Third-Party Security Assurance Guidance

The Payment Card Industry Security Standards Council (PCI-SSC) today released recommendations for meeting the PCI Data Security Standard (PCI-DSS) when sharing cardholder data with third party service providers. PCI-DSS requires a merchant or other entity in entrusted with cardholder data to ensure that cardholder data continues to be protected when it is provided to a third party.

Read More

U.S. Treasury Secretary Lew Emphasizes Cyber-Risks for Financial Institutions

In remarks delivered earlier this month, U.S. Treasury Secretary Jacob Lew highlighted the dangers of “cyber intrusions” to financial institutions. Secretary Lew cited more than 250 cyber attacks against U.S. banks and credit unions since 2011, as well as recent hacks and credit card thefts against major retailers. “Cyber attacks on our financial system represent a real threat to our economic and national security,” said Secretary Lew.

Read More

Kim Peretti Quoted in BankInfoSecurity

June 3, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Security Breach, Cybersecurity, Financial Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in a BankInfoSecurity article titled “Target Breach: Hold Board Responsible?

The article discussed a consulting firm’s report for shareholders in regard to Target Corp. stating that the company should replace seven of the ten members of its board of directors who served on the audit and corporate responsibility committees that should have provided better oversight into fraud and other cyber-risks when it came to Target’s major data breach.

“The study reinforces that boards need to address cybersecurity risks just as they deal with other types of enterprise risks,” Peretti said. "Boards need to be proactively engaged in understanding IT security risk and need to be asking probing questions in advance of a breach....A report from a consulting firm recommending that a company dismiss board members because of their handling of data security issues is unusual."

"It's the first that we're seeing [such] drastic or significant conclusions [like] in this report," she said.
"Companies are still struggling with appropriate cybersecurity governance."

Written by Security Incident Management & Response TeamAlston & Bird LLP

Financial Regulators Release Statements on Cyber-Attacks

April 3, 2014 | Posted by Maki DePalo | Topic(s): Data Security, Cybersecurity, Financial Privacy

On April 2, 2014, the Federal Financial Institutions Examination Council (“FFIEC”) issued a press release, alerting that FFIEC members are issuing joint statements on the risks associated with cyber-attacks on Automated Teller Machine (“ATM”) and card authorization systems and the continued distributed denial of service (“DDoS”) attacks on websites.

Read More

Energy and Commerce Committee to Hold First U.S. House of Representatives Hearing in 2014 on Protecting Consumer Information and Preventing Data Security Breaches

Following the recent announcement of two U.S. Senate committee hearings on data security breaches, the House Energy and Commerce Committee announced the first U.S. House of Representatives hearing to examine the issue. During the same week as the Senate hearings, the committee’s Subcommittee on Commerce, Manufacturing and Trade (CMT), chaired by Rep. Lee Terry (R-NE), will hold a hearing entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?” on Wednesday, February 5, 2014, at 9:30 a.m. EST in 2123 Rayburn House Office Building. According to the hearing notice released yesterday, witnesses will include executives from Target and Neiman Marcus, as well as government officials from the United States Secret Service and Department of Homeland Security. The Subcommittee will examine the preparations made by businesses to prevent data security breaches and the resources that exist to identify threats and improve the security of consumer information. The CMT Subcommittee notice also referenced the subcommittee’s recently issued data breach resource guide, which is a webpage that provides consumers with information they can use to help protect themselves against identity theft and take action when they learn of potential fraudulent charges on their accounts.

Read More

U.S. Senate Banking and Judiciary Committees to Hold Hearings Examining Data Security Breaches, Identity Theft, and the Safeguarding of Consumers’ Financial Data

January 28, 2014 | Posted by | Topic(s): Online Privacy, US Congress, Legislation, Identity Theft, Data Security, Cybersecurity, Financial Privacy, Hearing, Data Breach, Senate, Cybercrime

The U.S. Senate Committees on Banking and the Judiciary will each host hearings during the week of February 3, 2014, to examine the impact on consumers from recently reported data security breaches and what measures may be taken to protect sensitive information of consumers, including customer financial information, from criminal acquisition and misuse. Consistent with the assigned jurisdiction and oversight authority of each committee, the Banking Committee will examine the protection of consumer financial data, whereas the Senate Judiciary Committee will focus on the prevention of data security breaches and combating cybercrime. While these hearings will be open to the public at the Senate office buildings in Washington, D.C., each hearing will also be webcast live to the public via the committees’ hearing web pages at the links provided below. Witness testimony will not be made publicly available until the hearings start, but will be posted and available at the same committee web pages. (Please click on “Read More” to see more detailed information on each hearing and links to the committee webpages.)

Read More

Jim Harvey to Speak at the Institute of Continuing Legal Education in Georgia’s 2014 Banking Law Program

January 14, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Data Security, Cybersecurity, Financial Privacy

On February 7, Jim Harvey, co-chair of the firm’s Security Incident Management & Response team, will participate as a speaker in the ICLE’s 2014 Banking Law Program. Mr. Harvey, along with co-panelist Susan Koski, Chief Information Security Officer of Synovus Bank, will speak on “Cybersecurity-Managing Risks and Allocation of Loss”. This topic is one of six others in this full-day program, which has been approved for six hours of CLE credit and will be held at the State Bar of Georgia’s headquarters in Atlanta.

For more information on this program and to register, please click here.

Posted by Security Incident Management & Response team | Alston & Bird LLP

California Privacy Ballot Initiative Moves Forward: Act Would Amend California Constitution to Set Standards for Collection and Protection of Personally Identifying Information, including Financial and/or Health Information

October 4, 2013 | Posted by Nick Stamos and Claire Lucy Readhead | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Health Privacy, US State Law, Privacy, Financial Privacy, Privacy Class Actions, Privacy Litigation

California Secretary of State Debra Bowen has allowed signature collection to commence for a ballot initiative, named the Personal Privacy Protection Act, that could drastically alter the California privacy regime. The initiative, led by former state Senator Steve Peace and retired attorney Michael Thorsnes, seeks to amend the California Constitution to define personally identifiable information as “any information which can be used to distinguish or trace a natural person's identity which is linked or linkable to a specific natural person” but excludes information that is publicly available from government records. The definition of personally identifying information would also explicitly include “financial and/or health information.”

Read More

PCI SSC highlights anticipated changes in PCI DSS and PA-DSS V3.0

August 26, 2013 | Posted by Maki DePalo | Topic(s): Data Security, Cybersecurity, Financial Privacy

The Payment Card Industry Security Standard Council (PCI SSC) recently released a set of anticipated changes to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).

Read More

New York Takes Increased Regulatory Interest in Cybersecurity Practices at Insurance Companies

June 3, 2013 | Posted by Louis Dennig | Topic(s): Cybersecurity, Financial Privacy, Cybercrime

On Tuesday, May 28, at the direction of New York Governor Andrew Cuomo, the New York State Department of Financial Services (“DFS”) requested that the State’s largest insurance companies provide DFS with information regarding their cybersecurity practices. Among other requests, DFS is seeking information on what cybersecurity safeguards those insurance companies have in place, whether they have been the target of a cyber-attack within the past three years and the amount of resources the insurance companies dedicate to cybersecurity. The requests came in the form of “308 Letters,” which create a legal obligation for the recipient insurance companies to provide a response. DFS sent similar requests to the largest banks operating in the State earlier this year. The Governor stressed that while the State is “intensely focused on making sure that banks have the protections in place they need . . . we always have to keep at least one eye on the lookout for the next big threat.” The Superintended of DFS and co-chair of Governor Cuomo’s Cyber Security Advisory Board opined that “cybersecurity at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot. We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.” The 31 insurance companies receiving the letters include Aetna, AIG, Humana, Liberty Mutual, MetLife, Travelers and United Health Group.

The full text of a related Press Release issued from Governor Cuomo’s Office may be read at:

To read the full text of a related advisory, please click on Cyber Alert - New York State Inquires into Insurance Company Cybersecurity Practices: A Signal of Increased Proactive Regulator Interest in Data Security?

Written by Louis Dennig, Associate, Litigation & Trial Practice Group | Alston & Bird LLP

U.S. Secret Service and Texas Bankers Electronic Crimes Task Force Release Best Practices for Reducing the Risks of Corporate Account Takeovers

First identified in 2006, the financial services sector has been battling a form of cybercrime known as “corporate account takeovers,” in which cyber criminals target employees of businesses and cause the targeted individual to spread malicious software (or "malware") which in turn steals their online banking credentials. Armed with these credentials, the criminal is able to compromise the target’s financial account and electronically steal money from business accounts, often via unauthorized wire transfers and ACH payments.

Read More

OCC Issues an Alert on DDoS Attacks

The Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, recently released an alert to CEOs of all national banks, federal branches and agencies, and associated interested parties, calling for a heightened sense of awareness and offering risk mitigation information in response to a series of sophisticated DDoS attacks.

Read More

In Matter of First Impression, Eleventh Circuit Rules That Banks May Be Liable For Alleged Fraudulent Wire Transfers

December 5, 2012 | Posted by | Topic(s): Privacy, Financial Privacy, Litigation

In Chavez v. Mercantil Commercebank, N.A., No. 11-15804 (11th Cir. Nov. 27, 2012), the Eleventh Circuit found that the parties did not have an agreed-upon security procedure so as to allow the bank to qualify for safe harbor under Article 4A of the Uniform Commercial Code, as enacted in Florida, and avoid liability for an allegedly fraudulent payment order.

Read More

FTC Files Complaint Against Wyndham Worldwide Corp. for Data Breach

June 29, 2012 | Posted by | Topic(s): Online Privacy, Federal Trade Commission (FTC), Security Breach, Data Security, Financial Privacy, Data Breach

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint in federal district court in Arizona against Wyndham Worldwide Corporation and three subsidiaries (“Wyndham”) alleging that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud.

Read More

SEC Issues Guidance on Cybersecurity Risks and Incidents

October 20, 2011 | Posted by Charles R. Yates III | Topic(s): Cybersecurity, Financial Privacy

In response to various political pressures, including a letter dated May 11, 2011, from Senator Jay Rockefeller (D-WV) and four other senators to SEC Chairman Mary Schapiro, the Staff of the Security and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance on October 13, 2011 regarding its views on disclosure obligations relating to cybersecurity risks and cyber incidents.

Read More