RSS Print Email

Financial Privacy

Financial Regulators Release Statements on Cyber-Attacks

April 3, 2014 | Posted by Maki DePalo | Topic(s): Data Security, Cybersecurity, Financial Privacy

On April 2, 2014, the Federal Financial Institutions Examination Council (“FFIEC”) issued a press release, alerting that FFIEC members are issuing joint statements on the risks associated with cyber-attacks on Automated Teller Machine (“ATM”) and card authorization systems and the continued distributed denial of service (“DDoS”) attacks on websites.

Read More

Energy and Commerce Committee to Hold First U.S. House of Representatives Hearing in 2014 on Protecting Consumer Information and Preventing Data Security Breaches

Following the recent announcement of two U.S. Senate committee hearings on data security breaches, the House Energy and Commerce Committee announced the first U.S. House of Representatives hearing to examine the issue. During the same week as the Senate hearings, the committee’s Subcommittee on Commerce, Manufacturing and Trade (CMT), chaired by Rep. Lee Terry (R-NE), will hold a hearing entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?” on Wednesday, February 5, 2014, at 9:30 a.m. EST in 2123 Rayburn House Office Building. According to the hearing notice released yesterday, witnesses will include executives from Target and Neiman Marcus, as well as government officials from the United States Secret Service and Department of Homeland Security. The Subcommittee will examine the preparations made by businesses to prevent data security breaches and the resources that exist to identify threats and improve the security of consumer information. The CMT Subcommittee notice also referenced the subcommittee’s recently issued data breach resource guide, which is a webpage that provides consumers with information they can use to help protect themselves against identity theft and take action when they learn of potential fraudulent charges on their accounts.

Read More

U.S. Senate Banking and Judiciary Committees to Hold Hearings Examining Data Security Breaches, Identity Theft, and the Safeguarding of Consumers’ Financial Data

The U.S. Senate Committees on Banking and the Judiciary will each host hearings during the week of February 3, 2014, to examine the impact on consumers from recently reported data security breaches and what measures may be taken to protect sensitive information of consumers, including customer financial information, from criminal acquisition and misuse. Consistent with the assigned jurisdiction and oversight authority of each committee, the Banking Committee will examine the protection of consumer financial data, whereas the Senate Judiciary Committee will focus on the prevention of data security breaches and combating cybercrime. While these hearings will be open to the public at the Senate office buildings in Washington, D.C., each hearing will also be webcast live to the public via the committees’ hearing web pages at the links provided below. Witness testimony will not be made publicly available until the hearings start, but will be posted and available at the same committee web pages. (Please click on “Read More” to see more detailed information on each hearing and links to the committee webpages.)

Read More

Jim Harvey to Speak at the Institute of Continuing Legal Education in Georgia’s 2014 Banking Law Program

January 14, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Data Security, Cybersecurity, Financial Privacy

On February 7, Jim Harvey, co-chair of the firm’s Security Incident Management & Response team, will participate as a speaker in the ICLE’s 2014 Banking Law Program. Mr. Harvey, along with co-panelist Susan Koski, Chief Information Security Officer of Synovus Bank, will speak on “Cybersecurity-Managing Risks and Allocation of Loss”. This topic is one of six others in this full-day program, which has been approved for six hours of CLE credit and will be held at the State Bar of Georgia’s headquarters in Atlanta.

For more information on this program and to register, please click here.

Posted by Security Incident Management & Response team | Alston & Bird LLP

California Privacy Ballot Initiative Moves Forward: Act Would Amend California Constitution to Set Standards for Collection and Protection of Personally Identifying Information, including Financial and/or Health Information

October 4, 2013 | Posted by Nick Stamos and Claire Lucy Readhead | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Health Privacy, US State Law, Privacy, Financial Privacy, Privacy Class Actions, Privacy Litigation

California Secretary of State Debra Bowen has allowed signature collection to commence for a ballot initiative, named the Personal Privacy Protection Act, that could drastically alter the California privacy regime. The initiative, led by former state Senator Steve Peace and retired attorney Michael Thorsnes, seeks to amend the California Constitution to define personally identifiable information as “any information which can be used to distinguish or trace a natural person's identity which is linked or linkable to a specific natural person” but excludes information that is publicly available from government records. The definition of personally identifying information would also explicitly include “financial and/or health information.”

Read More

PCI SSC highlights anticipated changes in PCI DSS and PA-DSS V3.0

August 26, 2013 | Posted by Maki DePalo | Topic(s): Data Security, Cybersecurity, Financial Privacy

The Payment Card Industry Security Standard Council (PCI SSC) recently released a set of anticipated changes to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).

Read More

New York Takes Increased Regulatory Interest in Cybersecurity Practices at Insurance Companies

June 3, 2013 | Posted by Louis Dennig | Topic(s): Cybersecurity, Financial Privacy, Cybercrime

On Tuesday, May 28, at the direction of New York Governor Andrew Cuomo, the New York State Department of Financial Services (“DFS”) requested that the State’s largest insurance companies provide DFS with information regarding their cybersecurity practices. Among other requests, DFS is seeking information on what cybersecurity safeguards those insurance companies have in place, whether they have been the target of a cyber-attack within the past three years and the amount of resources the insurance companies dedicate to cybersecurity. The requests came in the form of “308 Letters,” which create a legal obligation for the recipient insurance companies to provide a response. DFS sent similar requests to the largest banks operating in the State earlier this year. The Governor stressed that while the State is “intensely focused on making sure that banks have the protections in place they need . . . we always have to keep at least one eye on the lookout for the next big threat.” The Superintended of DFS and co-chair of Governor Cuomo’s Cyber Security Advisory Board opined that “cybersecurity at insurance companies is something that often gets overlooked, but it’s far too important to get caught in a blind spot. We need to make sure that those insurance records are protected from hack attacks that could put New Yorkers at risk.” The 31 insurance companies receiving the letters include Aetna, AIG, Humana, Liberty Mutual, MetLife, Travelers and United Health Group.

The full text of a related Press Release issued from Governor Cuomo’s Office may be read at: http://www.dfs.ny.gov/about/press2013/pr1305281.htm

To read the full text of a related advisory, please click on Cyber Alert - New York State Inquires into Insurance Company Cybersecurity Practices: A Signal of Increased Proactive Regulator Interest in Data Security?

Written by Louis Dennig, Associate, Litigation & Trial Practice Group | Alston & Bird LLP

U.S. Secret Service and Texas Bankers Electronic Crimes Task Force Release Best Practices for Reducing the Risks of Corporate Account Takeovers

First identified in 2006, the financial services sector has been battling a form of cybercrime known as “corporate account takeovers,” in which cyber criminals target employees of businesses and cause the targeted individual to spread malicious software (or "malware") which in turn steals their online banking credentials. Armed with these credentials, the criminal is able to compromise the target’s financial account and electronically steal money from business accounts, often via unauthorized wire transfers and ACH payments.

Read More

OCC Issues an Alert on DDoS Attacks

The Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, recently released an alert to CEOs of all national banks, federal branches and agencies, and associated interested parties, calling for a heightened sense of awareness and offering risk mitigation information in response to a series of sophisticated DDoS attacks.

Read More

In Matter of First Impression, Eleventh Circuit Rules That Banks May Be Liable For Alleged Fraudulent Wire Transfers

December 5, 2012 | Posted by kacy.mccaffrey@alston.com | Topic(s): Privacy, Financial Privacy, Litigation

In Chavez v. Mercantil Commercebank, N.A., No. 11-15804 (11th Cir. Nov. 27, 2012), the Eleventh Circuit found that the parties did not have an agreed-upon security procedure so as to allow the bank to qualify for safe harbor under Article 4A of the Uniform Commercial Code, as enacted in Florida, and avoid liability for an allegedly fraudulent payment order.

Read More

FTC Files Complaint Against Wyndham Worldwide Corp. for Data Breach

June 29, 2012 | Posted by gilly.segal@alston.com | Topic(s): Online Privacy, Federal Trade Commission (FTC), Security Breach, Data Security, Financial Privacy, Data Breach

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint in federal district court in Arizona against Wyndham Worldwide Corporation and three subsidiaries (“Wyndham”) alleging that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud.

Read More

SEC Issues Guidance on Cybersecurity Risks and Incidents

October 20, 2011 | Posted by Charles R. Yates III | Topic(s): Cybersecurity, Financial Privacy

In response to various political pressures, including a letter dated May 11, 2011, from Senator Jay Rockefeller (D-WV) and four other senators to SEC Chairman Mary Schapiro, the Staff of the Security and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance on October 13, 2011 regarding its views on disclosure obligations relating to cybersecurity risks and cyber incidents.

Read More

India Clarifies Privacy Rules

India has clarified the applicability of its recently released privacy rules, causing a collective sigh of relief for outsourcing suppliers and customers around the globe. As detailed in our prior client alert on the topic, India released a set of rules earlier this year that would have radically impacted the manner in which outsourcing suppliers and customers dealt with personal data collected and processed in India. Indeed, the rules were nearly as expansive as the EU Data Directive and would have had a similar fundamental and profound impact on data practices for virtually every outsourcing relationship in which services were provided from India. On August 24, 2011, however, the Ministry of Communications & Information Technology clarified that the rules relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to Rules 4 and 5, which included many of the more controversial aspects of the previous guidance. This type of clarification had been anticipated by much of the industry since mid July or so and has been uniformly well received.

India Issues Comprehensive Privacy Rules

India issues extensive Privacy Rules with potentially significant impact on Outsourcing Services

On April 11, 2011, India’s Central Government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). Although positioned as an effort to provide clarification to terms left undefined in the Information Technology Act, 2000, the Privacy Rules put in place a significant new data privacy regime covering collection, use, disclosure or transfer of personal information in India. The Privacy Rules also impose new security standards and security obligations on a company’s data-related operations in India, and require the implementation of a privacy policy. Information qualifying as “sensitive personal data or information” (e.g., passwords, financial information, and medical records) is subject to tighter regulation, requiring, among other things, the written consent of the data subject before such information can be collected. 

Read More

The Dodd-Frank Wall Street Reform and Consumer Protection Act: A Summary

July 23, 2010 | Posted by David Brown | Topic(s): Advisories, Legislation, Financial Privacy

Two days ago, on July 21, President Obama signed into law H.R. 4173, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Act”). All types of financial institutions will be subject to significant new conditions and limitations under the statute; nonfinancial, publicly traded companies will be faced with new obligations as well. As is always the case with landmark legislation, the consequences on day-to-day operations will emerge over time, as regulators begin their analysis and commence necessary rulemaking.

This advisory reviews both the broad themes and many of the critical details of the Act. We have organized the discussion by title, but we review the provisions within each title thematically.

The advisory is provided in PDF on the Alston & Bird web site: http://www.alston.com/fisap_dodd_frank_reform_act_summary