Join us in our latest Tech Law Talks podcast series as we explore the regulatory topic du jour: eComms. What are eComms and why are they resulting in fines in the hundreds of millions of dollars for some of the world’s largest banks? The answer is simultaneously simple and complex: rapidly changing technology means keeping up with the variety of eComms, or electronic communications, used by businesses and applying decades-old regulations to new functionality is more challenging than ever before. Continue Reading What are eComms and why are they resulting in fines in the hundreds of millions of dollars for some of the world’s largest banks?
financial institutions
FTC significantly amends GLBA Safeguards Rule
The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:
- A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
- Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
- Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
- Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
- Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities
The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.Continue Reading FTC significantly amends GLBA Safeguards Rule
European Banking Authority issues revised Guidelines on Outsourcing arrangements
The European Banking Authority (EBA) issued its revised Guidelines on Outsourcing arrangements (Guidelines) at the end of Feb 2019. The revised guidelines are the first wholesale update since 2006 when the guidelines applied exclusively to credit institutions. They now apply to a broader range of in-scope financial institutions (FIs).…
FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES
Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:
All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.
This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.
In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.
Continue Reading FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES
FFIEC Proposes Social Media Risk Management Guidelines
This post was also written by Timothy J. Nagle and Frederick Lah.
Earlier this week, the Federal Financial Institutions Examination Council (“FFIEC”) released its proposed guidance requesting comment on the applicability of consumer protection laws to the social media activities of financial institutions. The guidance addresses the potential risks associated with the use of social…
One Step Closer to Defining ‘Reasonable’ Data Security Measures?
This post was also written by Frederick Lah.
The concept of “reasonableness” is found throughout the law and tends to develop slowly through the common law in a variety of geographies and commercial contexts. This uneven and unpredictable development of case-by-case rulings ultimately provides resilient standards, but at a great interim cost of uncertainty and…
Consumer Privacy Issues Abound in the Dodd-Frank Wall Street Reform and Consumer Protection Act
This post was also written by Chris Cwalina and Amy Mushahwar.
With President Obama scheduled to sign the Dodd-Frank Wall Street Reform and Consumer Protection Act this week, the financial services industry faces a rapidly changing regulatory environment. While a great deal of attention has been paid to the significant restructuring of the financial…