backFederal Reserve Board’s OIG Issues Reports Highlighting The Importance of Cybersecurity – In two reports issued on September 29, 2016, the Federal Reserve’s Office of Inspector General (“OIG”) discussed major management challenges facing the Federal Reserve Board (the “Board”) and the Consumer Financial Protection Bureau (“CFPB”). Although not required statutorily, the OIG compiles these annual listings of major management challenges facing the Board and the CFPB. According to the OIG, these challenges represent the areas that are most likely to hamper the Board’s and the CFPB’s accomplishment of their strategic objectives if not addressed. Concerns related to cybersecurity topped both lists.
For the second year in a row, the OIG highlighted cybersecurity-related issues as the top two management challenges facing the Board. First, according to the OIG, the Board needs to enhance its oversight of cybersecurity at supervised financial institutions. The Board has already designated cybersecurity oversight as a high priority, and, through its supervisory program for financial institutions, it already undertakes efforts to ensure that supervised financial institutions manage and mitigate the potential risks and vulnerabilities associated with cyberattacks. However, in light of the increasing number and sophistication of cyberthreats and attacks at financial institutions, the Board must continue to update and tailor its supervisory approach, define appropriate short- and long-term goals, and work with other regulators to provide supervised institutions with support and guidance.
Second, the OIG recommended that the Board focus on ensuring that it has an effective information security program. The OIG noted that the importance of information security in the federal sector was highlighted by recent data breaches involving sensitive data and the increase in information security incidents reported by federal agencies over the last several years. While the Board has already undertaken efforts to protect its IT infrastructure, it should pursue additional opportunities to enhance its information security programs, ensure that only those with a need to know have access to its online collaboration environments, and ensure that its third-party providers meet information security program requirements.
Ensuring an effective information security program was also the top management challenge identified by the OIG as facing the CFPB. This is the second year in a row that this challenge topped the list issued by the OIG. The CFPB has taken steps to develop and implement an information security continuous monitoring program. However, it continues to face challenges associated with maturing that program, including centralizing and automating the tools contained in it. Successfully managing this challenge is critical given the amount of sensitive information the CFPB collects and stores. Unauthorized access to or disclosure of that information could undermine the public’s trust in the CFPB and limit its ability to accomplish its mission. The OIG further identified opportunities for the CFPB to better detect and protect against these threats.
Reporter, Ashley B Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.
Barnes & Noble Data Breach Class Action Dismissed – On Monday, October 3, 2016, the U.S. District Court for the Northern District of Illinois dismissed a putative class action lawsuit concerning a 2012 data breach at Barnes & Noble, Inc. (“B&N”) during which hackers obtained personal identifying information (“PII”) belonging to B&N customers. Although the court found that the plaintiffs had established standing to sue, it also concluded that the lack of monetary losses or public dissemination of the PII doomed their claims.
The alleged consumer harm stemmed from a security breach that compromised debit and credit cards swiped at PIN pad terminals at 63 B&N stores in nine states. An earlier ruling by U.S. District Judge John W. Darrah of the same court in 2013 dismissed the dispute without prejudice for standing deficiencies, which his colleague Judge Andrea R. Wood determined last week had been rectified. Nonetheless, Judge Wood again dismissed without prejudice the B&N customers’ claims of breach of contract, invasion of privacy, and violations of Illinois and California consumer fraud statutes for failure to adequately state a claim.
Specifically, Judge Wood noted that even where customer plaintiffs had identified fraudulent charges made with their stolen credit card information, they failed to demonstrate any out-of-pocket losses associated with those charges. The court distinguished these circumstances from a 2011 data breach suit against Michaels Stores Inc., in which the Michaels plaintiffs had shown unauthorized withdrawals from their accounts and related bank fees, both of which amounted to “actual monetary losses.” Further, Judge Wood found that none of the B&N plaintiffs’ allegations concerning future risk of identity theft and the cost of mitigating such risk amounted to sufficient economic harm to state a claim under the consumer fraud statutes.
The court also found that the exposed PII was not widely disseminated, and that the only people who would have had access to such information were the hackers themselves and potentially third parties to which they sold the PII. Even if the information had been shared publicly, the court added that credit card data would not rise to the level of “private facts” that would be “revealing, compromising, or embarrassing,” as required to sustain an invasion of privacy claim.
Under the court’s order, the B&N consumers have until October 31, 2016 to re-plead their claims.
Reporter, Nicole M. Pereira, New York, NY, + 1 212 556 2132, npereira@kslaw.com
FCC Sets Out Revised Privacy Rules For Broadband Providers – On Thursday October 7, 2016, the Chairman of the Federal Communications Commission (“FCC”), Tom Wheeler, announced a proposal for new privacy rules for broadband providers in a post on the FCC’s website. Chairman Wheeler stated that the new rules would be focused on the sensitivity of consumer data, and would be more in line with the Federal Trade Commission’s (“FTC”) approach to protecting consumer privacy. Chairman Wheeler circulated the proposal to the other members of the FCC, and the proposal will be discussed at the FCC’s upcoming monthly meeting on October 27.
The new proposal would require customers to opt in and consent to allow internet service providers (“ISPs”) to use and share sensitive information such as geo-location, social security numbers, app usage and web browsing history. The rules also provide the ability for customers to opt out of allowing ISPs to use and share non-sensitive individually identifiable information, such as the customer's service tier. The focus of the new rules is to enhance consumers’ choice as to what information gets shared, while also providing transparency as to what information is being shared, in order to increase consumer privacy and security of sensitive information.
The rules are part of the FCC’s efforts to apply the privacy requirements of the Communications Act to broadband service providers after reclassifying these providers as common carriers, which are largely exempt from FTC authority.
In his post, Chairman Wheeler stated as follows: “Calibrating consent requirements to the sensitivity of the information aligns with consumer expectations and is in harmony with other key privacy frameworks and principles — including those outlined by the FTC and the administration’s consumer privacy bill of rights. The proposed rules are designed to evolve with changing technologies, and would provide consumers with ways to easily adjust their privacy preferences over time.” The proposed rules would also require ISPs to take reasonable measures to protect customer data from breaches, including taking appropriate steps to notify customers that their data has been compromised. Although it is unknown whether the rules will be adopted as described by Chairman Wheeler, the FCC meeting on October 27 should give more clarity to that question.
Reporter, Brett Schlossberg, Silicon Valley, +1 650 422 6708, bschlossberg@kslaw.com.