RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

From the CFPB: 9 Principles for Safer Third-Party Access to Financial Data

Posted on: November 2nd, 2017

By: Zach Moura

The Consumer Financial Protection Bureau (CFPB) is a federal agency that was created to ensure consumer protection in the financial sector. On October 18, it released a set of nine principles intended to help protect consumers who have authorized third-party access to their financial services providers.

This type of access is typically granted when one company, such as a bank or a portfolio management company, obtains access to a consumer’s account data held by a separate financial organization in order to provide the consumer additional services such as bill payment, personal financial management, or fraud screening/identity verification. The CFPB acknowledged that these arrangements can provide “great benefits to consumers,” but present risks for data security and privacy.

To ensure the protection of consumer interests, the CFPB says financial organizations should follow the following nine principles when entering into such relationships:

1. Access: Consumers should be able to access information about their ownership or use of financial products and services in a timely manner.

2. Data Scope and Usability: Consumer data subject to access may include transactional aspects of consumer usage, account terms, and realized consumer costs and benefits. Authorized third parties’ access should be limited to the minimum amount necessary, and only for as long as necessary, to provide the consumer-selected products and services.

3. Control and Informed Consent: Terms of access, including access frequency, data scope, and retention period, should be clearly disclosed and consistent with the consumer’s reasonable expectations. The consumer should also be allowed to revoke the terms easily.

4. Authorizing Payments: Authorizations for payment must be separate from authorizations for data access.

5. Security: Access to consumer data and any storage, use, or distribution of such data must be secure. Consumer data should be maintained in a manner and in formats with strong protections that deter and protect against security breaches.

6. Access Transparency: Consumers should be able to readily ascertain the identity and security of each party for whom they have authorized access, as well as what data is accessed, how it is used, and the frequency with which it is accessed.

7. Accuracy: Consumers should have an expectation that data is accurate and current, with reasonable means to dispute and resolve inaccuracies.

8. Ability to Dispute and Resolve Unauthorized Access: Consumers should have practical means to dispute and resolve unauthorized data access or sharing, payments in connection with data access, and failures to comply with other data users’ obligations.

9. Efficient and Effective Accountability Mechanisms: Commercial participants should be held accountable for harm to consumers, and incentivized to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments, data inaccuracies, insecurity of data, and failures to comply with other obligations.

While these principles are not binding, they are “intended to reiterate the importance of protecting consumers as the market for services using consumer-authorized financial data develops.” It does not appear that the CFPB has any immediate plans to initiate formal regulatory action in this area, but financial institutions should keep abreast of developments as the market for consumer services and products requiring access to financial data grows. A complete copy of the consumer protection principles can be accessed here.

If you have any questions or would like more information, please contact Zach Moura at [email protected].

The NAIC’s Insurance Data Security Model Law Takes a Step Closer to Becoming Reality & Law Firms Should Pay Attention

Posted on: October 27th, 2017

By: Glenn M. Kenna

On October 24, 2017, the National Association of Insurance Commissioners (“NAIC”) adopted the Insurance Data Security Model Law (“Model Law”). The Model Law includes rules covering a broad range of data security, security breach investigation, breach notification, and risk management issues related to nonpublic information. The Model Law applies to insurers, agents, and other entities licensed under state insurance laws (“Licensees”). The passage of the Model Law by the NAIC should be a concern to every law firm as the Model Law would apply to prevent Licensees from contracting with firms that do not have adequate data security measures in place.

In part, the Model Law mandates that Licensees develop, implement, and maintain comprehensive written information security programs to, among other things, protect nonpublic information from unauthorized disclosure. Under the Model Law, Licensees must require “Third-Party Service Providers” – broadly defined as any person, not otherwise defined as a Licensee, with access to nonpublic information due to its contract with the Licensee – to implement appropriate measures to protect and secure Nonpublic information that is accessible to, or held by, the Third-Party Service Provider. Nonpublic information under the Model Law includes any information that is not publicly available and which concerns a “Consumer which because of name, number, personal mark, or other identifier can be used to identify such Consumer in combination with any one or more of… (a)Social Security Number, (b) Driver’s license number or non-driver identification card number, (c) account number, credit, or debit card number, (d) any security code, access code, or password that would permit access to a Consumer’s financial account; or (e) Biometric records.” The Model Law further requires that the Licensee’s executive management or delegates report annually on the Licensee’s compliance.

Law firms can and should develop (and follow) robust data security programs compliant with the ever-increasing data security laws or risk being passed over by companies which are increasingly sensitive to their data security obligations and increasingly responsible for breaches by third party vendors. The NAIC’s passage of its Model Law follows implementation of New York’s data security law in March, which the Model Law closely follows. Much like the Model Law, the New York law requires law firms to comply with detailed data security rules imposed on them by Licensees. It is only a matter of time until the Model Law or similar regulations of broad application are passed by each state. Law firms that ignore the rapidly-changing data security landscape do so at their own peril.

If you have any questions or would like more information, please contact Glenn Kenna at [email protected].

Equifax and SEC are Latest Victims of Cyber Attacks

Posted on: September 25th, 2017

By: Amy C. Bender

Two more powerhouses have fallen victim to a data breach.

News of the cyber attack on Equifax spread like wildfire, causing fear in the minds of credit holders everywhere as well as an almost immediate wave of individual and class action lawsuits. The breach – dubbed “absolutely the worst data breach in the history of the modern era” by consumer expert Clark Howard – compromised the personal information (name, Social Security number, date of birth, addresses, and, in some cases, driver’s license numbers) of more than 143 million consumers. As if the scope of the attack was not bad enough, Equifax’s response to the attack has come under criticism on several fronts. For example, many critics believe Equifax’s offer of free credit monitoring to affected consumers did not go far enough since the hackers already have access to consumers’ personal information (and potentially can use it for years to come). Also, Equifax’s dedicated breach website was a separate domain that required users to provide their name and a portion of their Social Security number – the very same information that was hacked in the first place – to determine whether they had been impacted by the breach, often without coming away with a clear answer. Further, the company’s official Twitter account, in response to inquiries, directed consumers to a fake phishing website. This apparently was done intentionally to educate consumers on the dangers of phishing sites, but understandably did not go over well, leading Equifax to apologize and remove the website.

The Securities and Exchange Commission also has been the subject of an unauthorized intrusion into its online system for company financial filings, EDGAR. Although the attack occurred and was discovered last year, the SEC only recently discovered that the attack may have resulted in incidents of insider trading. Moreover, word now is out that the U.S. Department of Homeland Security noted “critical” weaknesses in the SEC’s cybersecurity back in January. One silver lining is that the SEC does not believe any personally identifiable information was accessed due to the breach.

There are many lessons to be learned from this latest round of cyber attacks:

  • Even the most sophisticated organizations are not immune from a cyber attack.
  • Planning, implementation, and monitoring of cyber security is essential.
  • How your organization responds to a cyber attack is critical and will be scrutinized closely by government agencies, your clientele, and the public.
  • Be vigilant about checking your personal and financial accounts.

FMG’s Data Security, Privacy & Technology team has served as breach counsel in hundreds of successful incidents and is available to advise organizations on proactive measures to prepare for and protect against a data breach as well as to help respond effectively if and when an incident occurs.

If you have any questions or would like more information, please contact Amy C. Bender at [email protected].



Computer System Fraud and Funds Transfer Fraud Coverages Extended to “Spoofing”

Posted on: September 8th, 2017

By: Richard E. Wirick


Computer theft insurance takes many forms. Under traditional commercial criminal theft products, coverage only applies if there is a “fraudulent (a) entry into…a Computer; [and] (b) a change to Data elements or program logic of a Computer System.”

Let’s take two examples of claims, one covered and one proving problematic. In the first scenario, a third party hacker hacks into an insured’s computer system, causing it to transfer the funds from the insured’s account into the hacker’s bank account. In the second scenario, a hacker “spoofs” the same result. That is, he emails the insured, fraudulently misrepresenting that he is one of the insured’s clients, and urges the insured to make a transfer to an offshore lender. Note that “spoofing” works because it tricks the insured’s email server into recognizing the fraudulent email as one that originated from the insured client or an agent of the insured’s client.

While coverage has often been found for scenario one, recognizing that the hacker had in fact gained access to and hence “used the [insured’s] computer to…fraudulently cause a transfer from inside [the insured’s premises] to an… outside person,” the second scenario has proven more difficult for policyholders to argue for coverage because it is typically not recognized as the “use of a computer” to “cause a transfer” of money from within an insured’s premises to an outside destination. “To interpret the computer -fraud provision as reaching any fraudulent scheme in which [a computer] communication was part of the process would convert [that] provision into one for general fraud.” Apache Corp. v. Great American Ins. Co., 662 F. App’x. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017).

Recently, the U.S. District Court for the Southern District of New York issued an opinion that will be argued by policyholders seeking coverage for scenario two. Medidata Sols., Inc. v. Fed. Ins. Co. No. CV-00907, 2017 U.S. Dist. LEXIS 122210 (S.D.N.Y. July 21, 2017). Medidata’s accounting department received a phony email, purportedly from the company’s president, stating that an attorney would be contacting them.  Although the email contained the president’s correct email address on the “from” line (and his picture), it was a “spoof.”  After a phone call and a second email by the hacker to accounting and high level executives, Medidata wired $4.7 million to an offshore bank, and into the hacker’s hands.

The insurer argued no coverage under the Computer Fraud Coverage in the “Crime Coverage Section” of an “Executive Protection” policy because there was no “fraudulent entry of Data into [a] computer system,” because the information instructing the transfer went to an “inbox…open to…any member of the public.” The Medidata court disagreed. It held that the president’s address in the “from” line constituted “data”, entered by the hacker, posing as the company’s president. This satisfied the requirements that the third party “entered the insured’s computer system and “used” it to effectuate a fraudulent transfer.”

On the Funds Transfer Fraud Coverage of the “Crime Coverage Section”  the issue was whether the transfer was “without Medidata’s knowledge or consent.”  The Court held that the fact that the accounts payable employee willingly pressed the “send” icon does not transform the bank wire into a valid transaction. Since the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by “larceny by trick.”

The decision can be expected to be appealed by the insurer.   The Medidata decision extension of the concept of “use” or “violation” in computer fraud coverage parts to the ever-increasing practice of “spoofing” is a novel interpretation of the coverage that was at issue and an area that we anticipate will continue to be reviewed by the courts.   

If you have any questions or would like more information, please contact Rick Wirick at [email protected], or John Moura at [email protected].

Delaware Amends Data Breach Notification Law

Posted on: August 29th, 2017

By: Kacie L. Manisco

On August 17, 2017 Delaware Governor John Carney signed into law a bill amending the state’s Date Breach Notification Statute, marking the first significant change to Delaware’s data breach notification law since 2005. The amendments, which will go into effect on April 14, 2018, bring significant changes to how covered entities must prepare for and respond to data breaches.

Reasonable Data Security: Any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business. The definition of “person” has been expanded to include any business form, governmental entity, “or any other legal or commercial entity.”

Definition of Personal Information: The amendment expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with any one or more of the following that relate to the individual: (1) Social Security number; (2) driver’s license number or state or federal identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) passport number; (5) a username or email address, in combination with a password or a security question and an answer that would permit access to an online account; (6) medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile; (7) health insurance policy number, subscriber identification number or any other unique identifier used by a health insurer to identify the person; (8) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and (9) an individual taxpayer identification number.

Breach Notification: Delaware’s amended data breach law also now requires that notification be provided to residents affected within 60-days of discovery of the breach, unless a shorter time is required under federal law or a law enforcement agency has made a request that notice be delayed. Prior to this amendment, Delaware’s statute, similar to the data breach statutes of a majority of states, only mandated that disclosure of a data breach be made in the “most expedient time possible” and “without unreasonable delay.”

The amendment further clarifies that covered entities are not required to provide notice if an investigation reveals the breach was unlikely to result in harm to the affected residents. The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.

Attorney General Notification and Enforcement: Additionally, covered entities will now be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents. The prior version of the law did not require regulator notification.

Credit Monitoring: Delaware now joins California and Connecticut in mandating covered entities offer individuals affected by a breach of security involving Social Security numbers at least one year of free credit monitoring services unless.

As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these. We have created our FMG Cyber Toolkit to help our clients for this very reason. Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.

If you have any questions or would like more information, please contact Kacie L. Manisco at [email protected].