Financial Privacy

In January 2014, a massive data leak of some 104 million credit card accounts shocked South Korea.  The number of affected accounts was twice the number of the population of South Korea’s.  The incident arose when a temporary employee of a personal credit rating agency that manages personal financial data of customers of three major credit card companies allegedly copied personal credit details of millions of people on his portable disk drive and subsequently sold the information to loan marketers and brokers.

On March 10, 2014, the Korean Government announced plans to prevent a recurrence of a large-scale security breach in the financial sector (the “Plan”) (available in Korean here). The Plan contains a number of elements that may be modeled on the EU’s proposed General Data Protection Regulation, such as turnover-based sanctions, limitations on data transfers and data retention and a reinforcement of individuals’ rights.  Some of the proposed measures are supposed to be implemented by amending existing relevant laws. Members of the National Assembly have already tabled legislative proposals for a number of amendments that reflect the Plan at a parliamentary committee meeting on February 24, 2014; however, it is at present unclear when they will be discussed and adopted by the Parliament. By contrast, other measures that do not require legislative changes are likely to be implemented as quickly as possible.

If adopted, the legislative proposals will have a significant impact in particular on financial institutions that handle a large amount of Korean customers’ personal information — such as banks, credit card companies and personal credit rating agencies. However, companies in other sectors are not off the hook, as the Government has indicated the possibility of a comprehensive inquiry to improve general personal information protection beyond the financial sector in the near future.Continue Reading Is Korea Moving Towards EU-Style Legislation for Financial Institutions?

A federal judge on Wednesday reduced a jury’s punitive damages award against Equifax from more than $18 million to $1.62 million, after finding that the jury’s award was unconstitutionally excessive despite Equifax’s “reprehensible” conduct in violating the Fair Credit Reporting Act.

Plaintiff Julie Miller sued Equifax under FCRA for failing to correct mistakes in the

Routine SEC examinations of investment advisers and investment companies this year will include scrutiny of these entities’ cybersecurity policies, an SEC official told attendees Thursday at a national agency-hosted compliance seminar.

The SEC’s Regulation S-P, which implements the federal Gramm-Leach-Bliley Act, requires brokers, dealers, investment companies, and registered investment advisers to “adopt policies and

A number of investigations and inquiries, including a call for a hearing in Congress on December 30, 2013, have been sparked by the announcement by Target Corp. that a massive security breach of approximately 40 million of its customers’ credit and debit card accounts used at brick-and-mortar Target stores occurred between November 27 and extending through at least December 15.

The retailer stated that hackers obtained information known as “track data”: customer names as well as debit or credit card numbers and card verification values (CVVs).  Armed with track data, hackers can create counterfeit cards by encoding the information onto any card with a magnetic strip. In recent weeks, the stolen track data has been flooding underground black markets, according to Brian Krebs, writing on Krebs on Security. The data is being sold in batches of one million cards for anywhere from $20 to more than $100 per card, with cards issued by foreign banks fetching the higher prices.Continue Reading Senators Call for Hearing on Data Security in Wake of Target Data Breach

Yesterday, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing entitled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”   Committee members expressed interest in bringing about greater transparency to what information is collected by data brokers and how it is used at the hearing, which consisted of a single panel of witnesses from the FTC’s Bureau of Consumer Protection, the World Privacy Forum, Experian, and the Direct Marketing Association.

In advance of the hearing, Chairman John D. Rockefeller IV (D-WV) released a majority staff report summarizing the Commerce Committee’s investigation into how data brokers collect, compile, and sell consumer information.  The staff report notes that data brokers serve a beneficial function in enabling companies to provide customers with products and services specific to their interests and needs, but that certain data brokers “operate with minimal transparency” and that consumer profiling can raise “unintended privacy issues.”  For this proposition, the staff report cited media reports that a major retailer had developed a pregnancy prediction model to enable the company to target marketing towards expectant mothers. 

According to the Committee’s staff report, a perceived lack of transparency may present further concerns when data broker information “end[s] up in the hands of predatory businesses seeking to identify vulnerable consumers, or when marketers use consumers’ data to engage in differential pricing.”

Senate Commerce Committee members generally echoed these concerns at yesterday’s hearing.  For example:Continue Reading Senate Panel Examines Data Broker Industry; Releases Staff Report

Last week, the Government Accountability Office (GAO) agreed to review the Consumer Financial Protection Bureau’s (CFPB) collection and analysis of consumer credit records in response to a request from Senator Mike Crapo (R-ID).  In a letter to the GAO Comptroller General, Sen. Crapo requested that the GAO investigate “CFPB’s data collection to determine its purpose

Earlier this month, the Consumer Financial Protection Bureau (CFPB) posted its semi-annual update of its rulemaking agenda for the coming 12-month regulatory cycle, including recently-completed rulemakings.  The rulemaking agenda is part of a broader initiative led by the Office of Management and Budget (OMB) to publish a Unified Agenda of federal regulatory and deregulatory actions

By: Kelly Carson

Last month, the Federal Trade Commission (FTC) issued an updated “How-To” guide to help businesses and organizations determine whether they are subject to the agency’s Red Flags rule (Rule).  Under the Rule, certain entities are required to establish written programs that are aimed at detecting and preventing identity theft.

The FTC’s revised guide lays out which businesses the Rule covers — namely, “financial institutions” and some “creditors” — as well as the steps they must take to comply with the Rule’s requirements.  As covered in a previous post, the Rule was amended in November 2012 to narrow the definition of “creditor,” bringing it in line with the Red Flag Program Clarification Act of 2012.Continue Reading FTC Issues Revised Business Guide on Identity Theft Red Flags Rule

Earlier this month, Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, and Insurance regarding consumer report accuracy and the FTC’s efforts to improve accuracy through education and enforcement.  Her testimony emphasized the impact that consumer report errors