Three Take-Aways From The CapitalOne Data Breach

August 1, 2019 at 9:42 am Leave a comment

Unless you live under a pineapple in Bikini Bottom you know that Capital One isn’t the only one that wants to know “what’s in your wallet”. The major issuer of credit cards has been victimized by a data breach, perpetrated by an ex Amazon employee, which has exposed more than 100 million credit card and account applications to potential misuse. As we all know these numbers always tend to increase over time.

Since you have both a legal obligation to respond to the latest cyber security developments and because you might as well learn from Capital One’s misfortune. Here are some of the take-aways for you to consider:

  • What data are you keeping? For how long? For what reasons? The more experience I gain in this area of the law the more I believe that record retention is actually one of the most challenging frameworks for your institution to implement. That being said, if press reports are accurate then some of the information which has been exposed includes credit card applications more than a decade old. I have some pretty smart compliance people that read this blog and if anyone can give me a good reason for holding onto this information for this long, please let me know what it is. In addition, when you look at both regulations and best practices you have a legal obligation not to hold data longer then you need it. For example, NY State’s cybersecurity regulations mandates that you have a policy specifically addressing the maintenance and destruction of data.
  • The Cloud is not without its risks. There is a perception that anything in the cloud is safer than it would otherwise be stored away on servers in your back office. After all what could be safer then floating on a puffy white cloud on a beautiful summer day. CAPOne was in the forefront of cloud based computing. News flash people the Cloud is nothing more or less than a massive amount of servers maintained by huge companies such as Amazon, Oracle, and Microsoft. These servers provide you with the convenience of offloading the need for much of your IT infrastructure in return for a fee. What this means is that your data is only as safe as the least trustworthy employee of your cloud service provider. It must not be exactly comforting to Capital One to know that the allege mastermind was a former Amazon employee who chose the online handle erratic when bragging about her exploits online.
  • What’s in your contract? Which bring us to the conclusion that your best protections are the ones that you put into your vendor agreement. While I will always argue that you should always review your contract terms and request changes. If only to demonstrate to your examiner that you understand the important role contracts play in proper vendor management. The reality is that because most cloud services are offered by huge companies, your negotiations will probably be unsuccessful. I have reviewed contracts from Oracle and Amazon recently and sufficient to say that you legal redress in the event of a data breach on the cloud is limited.

Fed Lowers Interest Rates

At the conclusion of its two day powwow the Fed’s Open Market Committee decided to cut interest rates by a quarter of one percent. The move underscores the strange economic times we continue to live in; after all can you imagine Alan Greenspan cutting interest rates with unemployment at historically low levels? According to the chairman, a rate cut this late in an economic expansion isn’t all that unusual and shouldn’t be viewed as a signal that future rate cuts are necessarily coming anytime soon. This of course confounded the captains of industry in Wall Street who were already penciling in multiple rate cuts in the coming months. President Trump was not amused.

Entry filed under: Compliance, Legal Watch. Tags: , .

CFPB Prepares For A Post-Patch World New York Flexes its Regulatory Muscle

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 639 other followers