On May 15, 2017, the Federal Reserve Office of Inspector General – which also oversees the CFPB – released a report finding deficiencies in the CFPB Office of Enforcement’s (Enforcement) processes for securing sensitive information.  The evaluation, conducted between February 2016 and July 2016, reviewed Enforcement’s processes for protecting the information it collects from the entities subject to its investigations and litigation activities related to potential violations of federal consumer financial laws, referred to as confidential investigative information (CII).

First, the Report found that access to matters containing CII was not always restricted to employees that required it to perform their assigned duties – during the time period evaluated, the OIG identified 113 individuals with access to matters when they no longer needed it.  Although CFPB policy is to require that access to high-sensitivity information, including CII, be restricted to individuals “with a demonstrated business need;” employees were generally allowed broad access to the network drive containing CII.  To address these issues, the Report offered five recommendations: (1) formalize in policy that employees should be granted access to Enforcement’s review tools and network drive matter folders only when such access is relevant to their assigned duties; (2) update policies and procedures to specify the process for approving and updating matter folder access rights for Enforcement’s review tools and network drive; (3) expand existing training for employees to reinforce guidance on Enforcement’s  interpretation that “demonstrated business need” means relevance to performing assigned duties, and the access approval and updating process for Enforcement’s review tools and network drive; (4) develop and implement a monitoring and testing approach to periodically confirm that Enforcement’s matter folders are appropriately restricted; and (5) coordinate with the Chief Information Officer to ensure that the new cloud environment, which is intended to replace the network drive, includes access approval and monitoring capabilities that meet the current and future needs of Enforcement.

Second, the Report found that Enforcement employees did not consistently follow CFPB guidelines for safeguarding CII, were unaware of certain aspects of the CFPB’s policies, and did not understand how relevant policies applied to their daily work activities.  The Report offered three recommendations to address this issue: (1) develop and implement operational procedures specific to Enforcement for handling printed high-sensitivity information, including but not limited to information labeling requirements and the use of cover sheets; (2) establish a strategy to periodically reinforce handling and safeguarding requirements and establish a monitoring approach to test compliance with information handling and safeguarding policies and procedures; and (3) monitor securable, access-controlled storage space, including but not limited to lockable cabinets and offices, to ensure that it meets the needs of all Enforcement employees.

Lastly, the Report found that Enforcement’s lack of a uniform naming convention hindered its ability to monitor and maintain access to matter folders.  The Report found that matter folder names were not uniform, with several instances of duplicate matters, and matters were inconsistently identified across different systems.  This hindered management’s ability to: (1) locate documents; (2) assign and monitor access to matter folders; and (3) ensure uniform and complete documentation or data for a matter.  The Report recommended developing a policy to establish a standard naming convention for matter folders and other relevant Enforcement folders to be used across all Enforcement applications and internal drives.

The Report raises significant – and continuing – concerns regarding Enforcement’s ability to safeguard the information it collects in the course of its investigations.  The Report follows the OIG’s September 29, 2016, memorandum, which identified information security as an area of improvement for CFPB management (see our prior blog post).  It is also interesting to note that the Report’s review period coincides with Enforcement’s March 2016 consent order with Dwolla, which marked Enforcement’s first – and to date, its only – foray into the data security realm (see our blog post on the consent order).  The Report’s findings highlight Enforcement’s continued struggle to satisfy the same internal data security requirements that it expects companies to maintain.  Enforcement’s failure to restrict access to sensitive information creates a risk of unauthorized disclosure.  Moreover, while the Report notes that former employees do not pose a significant risk due to the fact that they should no longer have access to the CFPB’s network, the fact that their access has not been restricted provides at least some reason for concern that these individuals may be able to misuse this information.

New Mexico recently became the 48th state to enact a data breach notification law.  This continues the accelerated pace of state data breach legislative activity in the last two years.  Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.

Among the most significant aspects of New Mexico’s brand new “Data Breach Notification Act” is its definition of “Personal Identifying Information.”  The Act follows a growing state trend by including “biometric data” in its definition of “personal identifying information.  In addition, “security breach” is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired.  The Act contains an exemption from the requirement to provide notice within 45 calendar days after discovery of the breach for persons subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.

For more information on the new law, see our legal alert.

 

 

On September 29th, the Office of the Inspector General (OIG) that oversees the CFPB released a memorandum detailing the major management challenges facing the CFPB.  The memo identified four areas of improvement that, unless addressed, would otherwise hamper the CFPB’s ability to accomplish its strategic objectives:

  • Ensuring an Effective Information Security Program
  • Ensuring Comprehensive Policies and Procedures Are in Place and Followed
  • Maturing the Human Capital Program
  • Managing and Acquiring Sufficient Workspace to Support CFPB Activities

Despite the vast quantities of consumer information being collected by the CFPB as part of its consumer protection mission, the CFPB has not fully implemented an information security continuous monitoring program, including a comprehensive data loss prevention system and oversight of contractor-operated information systems.  Furthermore, the CFPB has not fully implemented processes within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information.  Not only must the CFPB be concerned about hackers, the CFPB must also address the risk of insider threats.  A review of the CFPB website reveals that the CFPB makes very few representations about the level of security being provided for consumer information.  In the wake of the CFPB’s data security enforcement action against Dwolla, Inc. (see our prior blog post), the CFPB should be prepared to satisfy the same data security requirements that it expects to see among the companies that it regulates.

Additionally, the CFPB expects companies to maintain comprehensive compliance management systems, including written policies and procedures as well as employee training on those policies and procedures.  However, the OIG concluded that the CFPB does not have a comprehensive set of policies and procedures for some program areas, and that the CFPB did not fully ensure that its staff members were aware of and complied with its existing policies and procedures.  Despite clear guidance provided to industry about the minimum requirements of an effective compliance management system, as described in the CFPB Supervision and Examination Manual, the CFPB appears to have similar struggles in establishing its own internal governance.

Last August, we blogged about a Third Circuit decision that held the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  In our blog post, we commented that banks and other companies subject to the CFPB’s jurisdiction faced the possibility that the CFPB could begin using its Dodd-Frank authority  to bring enforcement actions against companies engaged in unfair, deceptive, and abusive acts and practices (UDAAP) to regulate cybersecurity policies and procedures.  The CFPB’s announcement yesterday of its first data security enforcement action demonstrates that our concerns were well-founded.

The CFPB’s target in this action was Dwolla, Inc., a company that operates an online payment system and uses consumers’ personal information to complete financial transactions.  The CFPB lacks enforcement authority with respect to the data security provisions of Gramm-Leach-Bliley.  In targeting Dwolla, the CFPB apparently decided that it could use its UDAAP authority with respect to data security matters.  Focusing on the UDAAP deception prong, the CFPB alleged that the company failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards.  The CFPB’s action significantly ups the ante for large banks and non-banks subject to the CFPB’s enforcement jurisdiction.

For more about the action, see our legal alert.  On March 18, 2016, Ballard Spahr will conduct a webinar, “The CFPB’s First Data Security Enforcement Action – Its Significance for Banks and Non-Banks.”  A link to register is available here.

 

The Association of Corporate Counsel Foundation (ACC) released a State of Cybersecurity report on December 9, 2015.  Ballard Spahr was the only law firm that served on the advisory board for the study and helped to formulate the survey questions.  The report provides valuable insights on cybersecurity issues from more than 1,000 corporate lawyers at 887 organizations worldwide—most of whom hold the position of General Counsel or Chief Legal Officer.

We have previously observed that banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.  The ACC report can be used by in-house lawyers to assess whether their companies are devoting appropriate time and resources to cybersecurity.  A company whose cybersecurity practices did not align with companies of a similar size in the same industry might be at greater risk of a UDAAP challenge if the CFPB were to scrutinize its cybersecurity policies and procedures.

For more on the report, see our legal alert.  On January 12, 2016, Ballard Spahr will hold a webinar, “Lessons Learned: Best Practices for In-House Counsel from the ACC Cybersecurity Report,” from 12:00 p.m. to 1:00 p.m. ET.  A link to register is available here.

As we have previously observed, banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.

For companies also subject to the FTC’s jurisdiction, the threat of FTC regulation of their cybersecurity policies and procedures became significantly more imminent as a result of the Third Circuit’s August 2015 decision in FTC v. Wyndham Worldwide Corporation.  In that case, the Third Circuit ruled that the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  The prohibition of “unfair” acts or practices in Dodd-Frank is based on the unfairness standard in Section 5.

However, in a more favorable development, the FTC’s Chief Administrative Law Judge recently dismissed the FTC’s complaint against LabMD, Inc., in which the FTC charged that the company engaged in unfair acts or practices in violation of Section 5 by failing to adequately protect consumer data.  According to the FTC, the company’s failure to provide reasonable and appropriate security for personal information maintained on its computer networks resulted in two “security incidents.”

For both incidents, the ALJ based its decision to dismiss the complaint primarily on the FTC’s failure to prove the company’s practices were “likely to cause substantial injury to consumers,” as is required by the unfairness standard in Section 5.  This was, in large part, because for both incidents, no consumers had been harmed despite the passage of considerable time since the incidents.

This decision marks the rare instance in which a company has successfully challenged an FTC data security action.  For more on the decision, see our legal alert.

The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives.  Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program.  Due to the advanced persistent threats faced by the federal government, the OIG concluded that the CFPB needs to strengthen its defenses against attacks from outside governments, organized groups, and other threats.  The OIG identified four high-priority security risk areas for CFPB improvement:

  • Continuous monitoring to assess security controls and system configurations
  • Configuration management of CFPB systems
  • Role-based security training for individuals with significant security responsibilities
  • Incident response and reporting

The OIG applauded the CFPB’s efforts to build out its Cybersecurity Program Management Office, but the OIG recommended that the CFPB should continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the Treasury Department, and ensuring that personally identifiable information (PII) is properly protected, including the PII that the CFPB receives from consumer complaints about credit card accounts, mortgage loans, and other consumer financial products and services.

Banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.  For companies also subject to the FTC’s jurisdiction, however, the threat of FTC regulation of their cybersecurity policies and procedures is significantly more imminent in view of a recent decision of the U.S. Court of Appeals for the Third Circuit.

In FTC v. Wyndham Worldwide Corporation, a case of first impression, the Third Circuit ruled that the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  For a discussion of the decision, see our legal alert.

On September 10, 2015, Ballard Spahr attorneys will hold a webinar, “FTC as the de Facto Privacy Regulator: 10 Things You Need To Know” from 12:00-1:00 p.m. ET.   The registration form is available here.

 

As part of their increased focus on cybersecurity, the CFPB and federal banking are taking steps to raise financial institutions’ awareness about the need for preparedness.  On June 24, 2014, the Federal Financial Institutions Examination Council (FFIEC) launched a web page that combines available resources from the federal regulators on cybersecurity. 

In addition to heightening institutions’ awareness of cybersecurity risks, the web page is intended to create a repository of prior FFIEC cybersecurity documents and guidance.  The web page was established in conjunction with the CFPB, the Fed, the FDIC, the NCUA and the OCC.  For more information, see our legal alert.

On Wednesday, July 16, Ballard attorneys will be conducting a cybersecurity webinar.  A description of the webinar with a link to register is available here.