Friday, November 18, 2022

FYI: Companies With Lax Data Security Risk Running Afoul of FTC

In a pair of recent enforcement actions, the Federal Trade Commission cracked down on companies with allegedly lax data security measures that resulted in the theft of personal information of millions of consumers.

 

In the first enforcement action, the FTC alleged that an online marketplace company and its CEO "were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers' data from hackers."

 

Specifically, in 2018 hackers infiltrated the company's servers until the login information for its cloud computing account was changed. Unfortunately, according to the FTC, the company did not address that breach with adequate security measures yet continued to represent to the public it had appropriate security protections. Two years later, an employee's account was breached, and customers' information was stolen.

 

In the second enforcement action, the FTC alleged an education technology company suffered four security breaches since 2017 but failed to undertake adequate remediation, resulting in the exfiltration of millions of consumers' personal information.

 

A number of alleged violations were common to both companies, including:

 

> Failing to require multifactor authentication

> Limiting access to consumers' personal information

> Neglecting to monitor for security threats

> Failing to develop adequate security policies

> Failing to properly train employees

 

Pursuant to the proposed consent orders, both companies are required to remediate these and other issues. Notably, the order concerning the online marketplace company extends to its CEO individually, who "will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities."

 

The FTC has published a description of the first and second consent agreement packages in the Federal Register.  The agreements are subject to public comment for 30 days after publication, following which the Commission will decide whether to make the proposed consent orders final.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

Monday, November 14, 2022

FYI: NY DFS Announces $4.5 Million Cybersecurity Penalty, Proposes Amendments to Cybersecurity Regs

The Superintendent for the New York Department of Financial Services (DFS) recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500.

 

The regulations apply to a "covered entity," defined as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law."

 

In this case, a phishing attack likely allowed unauthorized access to six years' worth of consumers' non-public information. According to DFS, the company failed to:

 

  • implement multi-factor authentication (§ 500.12);
  • limit user access privileges (§ 500.07);
  • implement sufficient data retention and disposal processes (§ 500.13); and
  • conduct an adequate risk assessment (§ 500.09).

 

In addition to the monetary penalty, the company is required conduct a comprehensive risk assessment, to include: a) reasonably necessary changes to address material issues identified in the assessment; b) plans for revisions of controls to respond to technological developments and evolving threats; and c) plans for updating or creating additional written policies and procedures.

 

To its credit, the company's "commendable cooperation throughout [the] investigation" was acknowledged by DFS as well as its "ongoing and completed efforts to remediate the shortcomings identified in this Consent Order."  This is contained in the "Monetary Penalty" section of the Consent Order, so presumably this favorable conduct had a positive impact on the amount of the penalty.

 

PROPOSED AMENDMENTS TO CYBERSECURITY REGULATIONS

 

DFS recently announced proposed amendments to its Cybersecurity Regulations that, if implemented, would require:

 

The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. Furthermore, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation;   

 

Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;  

 

Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;  

 

Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and  

 

Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.  

 

DFS is accepting public comment on the proposed amendments through Jan. 9, 2023.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars