News & Insights

Newsletter

August 6, 2018

Data, Privacy & Security Practice Report – August 6, 2018


Treasury Releases Report On Technology Innovation And Use Of Consumer Data By Nonbank Financial Institutions – On July 31, the U.S. Department of the Treasury (“Treasury”) released a report outlining recommendations to streamline and modernize the regulatory environment to  “better support nonbank financial institutions, embrace financial technology, and foster innovation” (the “Report”).

In preparing the Report, the Treasury engaged with a range of stakeholders, including trade associations, individual firms, investors, academics, consumer and advocacy groups, as well as federal and state regulators. Implementation of many of the over 80 recommendations will require congressional or regulatory action at the federal and state level. 

The Report recognizes that the competitive environment for banks and nonbanks has changed substantially since the financial crisis. Advances in technology, such as cloud computing and data storage, combined with the proliferation of mobile communication, have accelerated financial innovation. Artificial intelligence and machine learning models offer great potential to raise the overall quality of consumer financial services products. However, these various data flows raise data privacy concerns. 

The Report outlines a series of recommendations to promote the efficient and responsible use of consumer data, including the updating of key provisions of the Telephone Consumer Protection Act; removing regulatory barriers to developing a digital legal identity; and establishing a federal data security and breach notification law “to protect consumer financial data and ensure that consumers are notified of breaches in a timely and consistent manner.” Additionally, the Report recommends regulatory reforms in marketplace lending; mortgage lending and servicing; student lending and servicing; debt collection; credit bureaus; IRS income verification; payment processing; and short-term, small-dollar lending. 

One of the overall themes of the Report is fostering an “agile approach to regulation that can evolve with innovation.” As one example, the Report cites blockchain and distributed ledger technologies as examples of “promising innovations” and recommends that “it would be beneficial for regulators to permit meaningful experimentation in the real world, subject to appropriate limitations.” The Treasury also encourages the development of  regulatory “sandboxes” as testing grounds for innovation and notes the importance of participation in international organizations to promote domestic priorities of U.S. regulators and to address the  needs of U.S. companies operating globally. 

This Report is the fourth and final in a series of reports prepared in response to Executive Order 13772 on Core Principles for Regulating the United States Financial System. See previous reports focused on banks and credit unions, capital markets, as well as asset management and insurance

A Treasury fact sheet on the Report can be found here, and the full Report can be found here.

Reporter, Allison Kassir, Washington, D.C., +1 202 626 5600, akassir@kslaw.com 

DHS Center To Defend Critical Infrastructure From Hacking – The Department of Homeland Security (“DHS”) will open a National Risk Management Center (the “Center”), which will focus on evaluating and defending U.S. critical infrastructure from cyberattacks and digital threats. DHS Secretary Kristjen Nielsen announced the creation of the Center on Tuesday, calling it the new “focal point” for cybersecurity within the federal government. 

The Center is proposed to be a place where private companies can get assistance if they experience a cyberattack. The intent is for a company to seek assistance early on, so that DHS via the Center can help protect other companies in the same sector or industry from falling victim to the attack. To that end, DHS envisions the Center will serve to create partnerships between federal agencies and private companies to identify and address potential threats quickly. 

To begin with, the Center will focus primarily on the energy, finance, and telecommunications industries. In the immediate future, DHS intends to conduct a number of 90-day “sprints” through the rest of 2018 to identify key needs and priorities, as well as rapidly build out the Center’s processes and capabilities. DHS ultimately plans to run simulations, tests, and cross-sector exercises to evaluate the weaknesses and threats to U.S. critical infrastructure. 

Related to the new Center and DHS’ efforts to combat cyber threats, DHS is working with Congress to pass legislation to make organizational changes at DHS. On Tuesday, Senators Maggie Hassan (D-NH) and Rob Portman (R-Ohio) introduced the DHS Cyber Incident Response Teams Act of 2018. The legislation would effectively recast what is now the National Protection and Programs Directorate into an official, operational agency. The House of Representatives passed its version of the bill several months ago. 

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.

Federal Cybersecurity Practices Scrutinized At U.S. House Subcommittee Hearing – On July 25, 2018, the Subcommittees on Government Operations and Information Technology of the U.S. House of Representatives Oversight and Government Reform Committee (the “Committee”) held a joint hearing entitled “GAO High Risk Focus: Cybersecurity,” with Gene Dodaro, Comptroller General of the Government Accountability Office (“GAO”), and Suzette Kent, Federal Chief Information Officer at the Office of Management and Budget (“OMB”), testifying as witnesses. 

The main purpose of the hearing was to review the GAO’s recent report on existing cybersecurity challenges facing the federal government, its recommendations for addressing them, as well as the Administration’s plan of action. The GAO report highlighted the fact that, since 2010, the GAO has made over 3,000 federal government cybersecurity recommendations, and approximately 1,000 of them still need to be implemented by various federal agencies and entities. This fact was not lost on the subcommittee leaders, with Ranking Member of the Information Technology Subcommittee Rep. Robin Kelly (D-IL) noting that “the Trump administration’s plans failed to include basic components needed to carry out a national strategy for protecting critical cyber infrastructure.” Information Technology Subcommittee Chairman Hurd (R-TX) echoed Ms. Kelly’s concerns regarding the 1,000 outstanding recommendations, stating: “It’s not acceptable given the threat we face. These open, lingering vulnerabilities put us at incredible risk as we saw with the devastating data breaches at OPM.”

In his testimony, Mr. Dodaro touched on each of the four major cybersecurity challenges identified in GAO’s latest report, including:

  • Establishing a comprehensive cybersecurity strategy and performing effective oversight;
  • Securing federal systems and information;
  • Protecting cyber critical infrastructure; and
  • Protecting privacy and sensitive data.

He also highlighted the need to move faster to address these challenges, stating that he didn’t “think that the federal government’s moving at a pace commensurate with the evolving threat in this area.” Ms. Kent, the OMB witness, emphasized the Administration’s focus on addressing federal cybersecurity threats, noting that 37 of the 52 federal information technology modernization tasks identified in the President’s May 2017 Executive Order have been implemented, with the remainder to be completed by the end of the year. However, she also recognized that “there’s still much to do,” especially in the areas of agency cybersecurity risk identification and mitigation. Members in attendance expressed particular interest in federal agencies’ self-reporting practices with respect to information security control assessments. In response, Ms. Kent noted that she has been working with GAO to identify ways in which OMB could automatically extract the relevant data directly from agencies, rather than rely on the existing self-reporting mechanisms. 

We will continue to monitor the Committee’s activities on these issues and provide updates on any significant developments. 

Reporter, William Clarkson, Washington, D.C., +1 202 626 8997, wclarkson@kslaw.com.