Financial Privacy

On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the need for broad public-private cooperation, defined consumer rights and responsibilities, and international streamlining efforts. The Report focused on eight cybersecurity topics identified in the Commission’s charging Executive Order: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, state and local government cybersecurity, and additionally insurance and international issues.

After studying these eight critical areas, the Commission articulated ten foundational principles that shaped its recommendations in the Report. These principles focused on the growth in size and density of Internet-connected systems, United States and federal government leadership in cybersecurity innovation, private-public collaboration, clear definitions of authority and accountability, consumer education, user-friendly cybersecurity products, privacy and trust development, the unique needs and constraints of small businesses, and designing incentives for innovation.

The Report then enumerated myriad imperatives, recommendations, and action items for the current and next Presidential administrations to develop robust cybersecurity in the nation.
Continue Reading The Commission on Enhancing National Cybersecurity Releases Its Report on Securing and Growing the Digital Economy

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks.  The proposed regulation will be subject to a 45-day comment period once it is published in the New York State Register. The regulation will

The Federal Trade Commission (“FTC” or “Commission”) is soliciting public comments on its Standards for Safeguarding Customer Information (“Safeguards Rule”) as part of the systematic review of all FTC rules and guides on a 10-year schedule.  The Safeguards Rule was promulgated by the Commission pursuant to the Gramm-Leach-Bliley Act’s (“GLBA”) directive for federal agencies to

By Ciarra Chavarria

On June 8, 2016, the Securities and Exchange Commission announced that Morgan Stanley Smith Barney LLC (“Morgan Stanley”) had agreed to pay $1 million as a penalty for charges relating to its “failures to protect customer information.”

Morgan Stanley’s settlement with the SEC came several months after a federal court found one of Morgan Stanley’s former financial advisers, Galen Marsh, guilty of illegally uploading confidential information from approximately 730,000 of Morgan Stanley’s clients to his personal computer. Marsh’s server was later hacked by third parties and confidential information of at least 900 clients appeared online for sale.  Marsh was sentenced to thirty-six months of probation and a $600,000 fine.
Continue Reading Morgan Stanley to Pay $1 Million Penalty in SEC Cybersecurity Settlement

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August

By Ani Gevorkian

On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars.  The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually.  The rule will be effective as soon as it is published in the Federal Register. 

Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information.  An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.

Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements.  For instance, the institution may not share data in ways that trigger customers’ opt-out rights.  They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Continue Reading CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately

Today, the Federal Trade Commission (“FTC”) issued a staff report examining the consumer-protection implications of popular shopping apps.  These services are intended to ease and enhance the shopping experience by allowing consumers to, for example, compare prices in-store across retailers, collect and redeem deals, or pay for purchases while shopping in brick-and-mortar stores.  The FTC

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) proposed a rule to modify the notice provisions of Regulation P, which implements the financial privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).

Regulation P requires financial institutions to deliver an annual privacy notice to customers, which is often accomplished through a direct mailing to the customer.  The proposed rule would allow a financial institution to meet this annual privacy notice delivery requirement, in certain circumstances, by continuously posting the privacy notice on its website in a clear and conspicuous manner (described as the “proposed alternative delivery method” in the proposed rule), and providing the customer with a clear and conspicuous annual disclosure that (i) the privacy notice has not changed, (ii) the notice is available on the institution’s website, and (iii) the customer may request a mailed copy of the notice by calling a toll-free number.Continue Reading CFPB Proposes Revised Financial Privacy Rule

In January 2014, a massive data leak of some 104 million credit card accounts shocked South Korea.  The number of affected accounts was twice the number of the population of South Korea’s.  The incident arose when a temporary employee of a personal credit rating agency that manages personal financial data of customers of three major credit card companies allegedly copied personal credit details of millions of people on his portable disk drive and subsequently sold the information to loan marketers and brokers.

On March 10, 2014, the Korean Government announced plans to prevent a recurrence of a large-scale security breach in the financial sector (the “Plan”) (available in Korean here). The Plan contains a number of elements that may be modeled on the EU’s proposed General Data Protection Regulation, such as turnover-based sanctions, limitations on data transfers and data retention and a reinforcement of individuals’ rights.  Some of the proposed measures are supposed to be implemented by amending existing relevant laws. Members of the National Assembly have already tabled legislative proposals for a number of amendments that reflect the Plan at a parliamentary committee meeting on February 24, 2014; however, it is at present unclear when they will be discussed and adopted by the Parliament. By contrast, other measures that do not require legislative changes are likely to be implemented as quickly as possible.

If adopted, the legislative proposals will have a significant impact in particular on financial institutions that handle a large amount of Korean customers’ personal information — such as banks, credit card companies and personal credit rating agencies. However, companies in other sectors are not off the hook, as the Government has indicated the possibility of a comprehensive inquiry to improve general personal information protection beyond the financial sector in the near future.Continue Reading Is Korea Moving Towards EU-Style Legislation for Financial Institutions?