Posts tagged ‘cyber security’

Time for the Arbitration Talk

It’s time to sit everyone down and have “The Talk.”

I’m bringing this to your attention because of an article in the American Banker (subscription required) detailing the travails of a New Jersey pastor who was falsely accused of passing fraudulent checks by- who else- Wells Fargo. The misidentification of the pastor was quickly resolved, but when he went to sue the bank, he discovered that he would have to arbitrate his dispute.

While I empathize with the pastor’s plight, everyone reading this blog has an obligation to balance consumer needs against fiscal and legal realities. I have been doing my annual review of cases in preparation for next week’s legal and compliance conference (again, shameless plug) and, whereas the difficulty used to be finding enough cases to talk about, now the challenge is deciding what cases to exclude. The leading culprit in this explosion in litigation against credit unions is class action lawsuits claiming violations of account agreement disclosures. Another factor fueling the rise in litigation is that employees seem much more willing to sue their employers than they used to be, particularly in a state like New York, which adds so many protections to the federal baseline.

Given this reality, it’s time to call up your outside counsel and have a discussion about the costs and benefits of integrating an arbitration clause into your account agreement, and even into your employee handbook. Both Congress and the courts have given employers and financial institutions the green light to use arbitration clauses. Congress took the unusual step of voting to repeal CFPB regulations banning arbitration clauses, which banned class action lawsuits. And last year, the Supreme Court issued the latest in a string of cases emphasizing that the Federal Arbitration Act should be expansively interpreted, and understood as preempting state laws which try to limit its impact. Lamps Plus Inc. v. Varela upheld the enforceability of an arbitration clause in an employee handbook against a challenge that it was too vaguely written to be enforced.

To be clear, arbitration clauses don’t make sense for all credit unions. For example, if you’re more likely to be sued in small claims court than you are to be made subject to a class action, then including an arbitration clause in your account agreement may actually increase the amount of member litigation you have to deal with. In addition, your employees may not respond well to having to agree to arbitration clauses as a condition of employment. But given the state of the law, your credit union should at least be having a conversation. From a strictly legal standpoint, arbitration makes an awful lot of sense.

New York extends Wild Card provisions for another five years

                Legislation extending existing law is the lobbying equivalent of getting a new roof on the house; it’s something that has to be done, but it does not generate all that much excitement. Nevertheless, let’s not underestimate the importance of news that Governor Cuomo has extended New York’s Wild Card provisions for another five years.

The Wild Card law permits state chartered financial institutions to apply to the State’s Department of Financial Services for permission to exercise a power which a federally chartered institution has, but which state charters do not. It was originally passed in 1996 to aid banks, and was extended to credit unions in 2007. In recent years, it has played a crucial role in enticing federally chartered credit unions to look at the state charter. Aside from some of the specific powers which have been authorized under the legislation, it signals to federally chartered institutions that New York wants their business, and is willing to talk to them about minimizing the paint points of a conversion.

On another note, the Governor has approved legislation dealing with the creation of a state task force to provide the Governor and Legislature with information on the “effects of the widespread use of cyber currencies” in New York State. The task force will have a year to submit its findings. A great place for it to start would be to review the findings of a multiday hearing that the DFS held several years ago, examining cyber currencies. It was this hearing which led to the creation of New York’s cyber security licensing framework.

September 3, 2019 at 9:46 am Leave a comment

Are You Doing Enough to Protect Employee Privacy?

My readers are a savvy group, so  you already know that when it comes to cybersecurity your protection is as strong as your most technologically unaware employee. But, did you know that your employees are also emerging as one of the greatest threats your credit union faces when it comes to being sued for cyber breaches?

After spotting this post, a reader correctly suggested this was a blog-worthy topic that I should spread the word about. She was right. So here goes:

Disgruntled members aren’t the only ones you have to fear if hackers manage to steal  Personally Identifiable Information: A 2017 federal court decision and an obscure statute are   paving the way for your employees to sue the credit union if hackers gain access to their information. This is just one case, and there will be twists and turns in the coming years, but I expect to see more and more of these cases and you should too.

The case your HR and IT people should know about is Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, (S.D.N.Y. 2017). Jessie Sackin sued his employer, TransPerfect Global Incorporated, for negligently protecting employee PII after one of the company’s s 4,000 employees received a phishing email designed to look like it was from the CEO asking for employee payroll information.. An employee did as requested. Score one for the bad guys.

What makes the case important is that Sackin successfully argued that his company had both a common law and statutory obligation to take reasonable precautions to protect employee information and that its failure to do so constituted negligence. By saying that a company could be sued by its own employees for negligence, the court was putting all employers on notice that they had an obligation to take reasonable steps to protect employee information against foreseeable risks. In this case, the company allegedly had inadequate employee training and insufficient firewalls to protect against cyberattacks.

The case is also noteworthy because it put additional teeth into a New York statute mandating that employers protect employee social security numbers and PII.. N.Y. Lab. Law § 203-d mandates that: “An employer shall not, unless otherwise required by law, publicly post or display an employee’s social security number;…or communicate an employee’s personal identifying information to the general public.” The punchline is that: “It shall be presumptive evidence that a violation of this section was knowing if the employer has not put in place any policies or procedures to safeguard against such violation, including procedures to notify relevant employees of these provisions”

The court was the first to rule that this provision gave employees the right to sue over these violations, creating a fun new way for attorney’s to sue employers over hacker misdeeds. The bottom line: if you haven’t done it yet, schedule that email training and empower your IT people to insure that employee and member information is safe and secure.

 

 

 

April 16, 2019 at 10:05 am Leave a comment

Does NY’s Cybersecurity Regulation Apply To Your Credit Union?

With the recent ransomware attack demonstrating how vulnerable the world is to cyberattacks, I spent part of my weekend looking back over NY’s regulations and to whom they apply to. These regulations took effect in March, but there is a six month transition period, with some requirements being phased in over the next year.

What follows is one man’s opinion and not a substitute for consultation with your own counsel and compliance team.

NY’s regulations apply to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This definition clearly applies to state chartered credit unions and CUSO incorporated or licensed in New York State, such as a mortgage banking or title insurance business.

What if you have a federally chartered credit union that makes mortgage loans? Here is where people part ways with my analysis. Even though originators working for banks and credit unions are exempt from state licensing requirements under Section 12C of the banking law, they still must be registered with NYS as loan originators. (N.Y. Banking Law § 599-c(3)(a) (McKinney). On its face the regulation is broad enough to be triggered by this requirement.

Persons within the industry, which whom I have discussed the regulations reach, argue that even if my interpretation is correct it is hard to see how NYS could actually enforce the regulations against a federal chartered institution. To me this argument overlooks the fact that this regulation’s requirements will impact more than your compliance system. If it works the way I think it will, it will become an integral part of your most basic business relationships.

For example the regulation will impact your third party relationships. Entities covered by the regulations must identify and perform a risk assessment on all third party vendor relationships. They also must explain the minimum cybersecurity protocols for which they expect third party vendors to comply. This requirement is broadly consistent with third party vendor guidelines. If I was drafting a contract for your credit union, reference to NY’s cybersecurity requirements could provide a useful and precise baseline for the expectations that you expect vendors to meet. This is particularly true given the increasing importance that adequate encryption plays in your cybersecurity program.

Even if NYS’s regulation doesn’t apply to you today, you don’t have to be Nostradamus to figure out that similar regulations will soon be imposed on your credit union. The ransomware attack demonstrated just how vulnerable our county is. Like it or not, NY’s regulation provides a template upon which regulators can quickly build, and my guess is they will do so.

May 22, 2017 at 9:52 am 1 comment

New York Amends Cyber Security Proposal

cyberI’m back and ready for  a year that promises to be  a blogger’s dream come true.

On December 28th, New York’s Department of Financial Services reissued its proposed Cybersecurity Program Requirements which are to be phased in starting in March.

Although the amendments are designed to clarify that entities covered by these regulations (a category that would include state chartered credit unions and CUSOS incorporated pursuant to State Law) can develop policies that reflect individual risk assessments, it remains to be seen whether these changes will go far enough to assuage the concerns of insurance companies, banks and credit unions that will have to comply with these “First in the Nation “requirements.  Remember these regulations only apply to state chartered institutions, but may very well provide a template for other states across the nation.

First the good news. The exemption from these regulations (proposed section 500.19) has been expanded; it now includes an organization with fewer than 10 employees or less than $ 5,000,000 in gross revenue in the last three years. The previous exemption only applied to entities with fewer than 1,000 customers in each of the last three calendar years.

The proposed regulation has also been amended to clarify that an organization’s policies and programs are to be based on its risk assessment. While this helps, the Department refused to clarify the extent to which compliance with federal standards can satisfy these regulations.

The amendments also clarify that a covered entity can satisfy these regulations by using an affiliate’s cybersecurity program. In other words, a state charter with a CUSO can use a single program so long as it applies to both entities.

A huge issue, particularly for larger institutions, is the state’s proposals requiring institutions to encrypt nonpublic information that is not being transmitted. I have conversed with a couple of techies about this. They argue that when information is being stored on a secured system it shouldn’t be subjected to the same encryption requirements as data being transmitted. Show revised section 500.15 to your IT people and see if the proposed changes go far enough to address these concerns.  Yours truly is by no means an IT expert, nor does he play one on TV.

There is still plenty in here to make institutions moan. For example, covered entities will still have to have to undergo cybersecurity training.

Happy New Year!

 

January 3, 2017 at 9:51 am Leave a comment

Is Biometric Security Already Obsolete?

biometricsHere is one more thing to keep your IT department up at night.

An international security consulting firm, has created quite the stir across the pond by reporting that hackers have already figured out not only how to steal biometric data from ATM machines but also how to commercialize the sale of devices facilitating its capture.

On September 22, 2016, Kaspersky Lab reported  there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints from ATMs. In addition, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems. By the way. this is in addition to reports demonstrating  that it is possible for hackers to steal information stored on EMV chip cards.

The news caused one British regulator to write a letter to banks telling them to report on the steps that they are taking to secure biometrics. What makes this report so disturbing is that, whereas compromised ATM and credit cards can be reissued, you can’t change someone’s biometric data.  If it really is as easy to steal this information as it appears it will  be, then the use of biometric passwords will offer convenience to people like  your faithful blogger, who is  frustrated by an ever-growing list of passwords, but  will be an expensive dead-end when it comes to security.

From now on I’m going to tell my wife to follow Kim Kardashian’s lead and take millions of dollars in jewelry with her wherever she goes instead of using a  safety- deposit box.  What could possibly go wrong?

The report also underscores just how behind the curve this country is when it comes to cyber theft. Merchants are merchants are still grumbling about the use of chip readers and a major Presidential candidate is encouraging cyber-hacking his opponent while Europe is already debating the merits of biometric security. I can’t believe that this is the best the country that created Google, Facebook and Microsoft can do.

Which brings me to my proposed one sentence guidance for all regulators , financial institutions and businesses  to follow: “Every business must  have a cybersecurity plan, but one which is tailored to its  size, complexity and  cyber vulnerability. Any mandate more prescriptive than this will be outdated in days and deny institutions the flexibility they need to weigh cybersecurity costs against other expenditures eating away at the bottom line.

Extended Exam Cycle, Right Around The Corner

NCUA announced yesterday that well managed credit unions with assets of less than $1 billion  could move to an extended examination cycle, beginning next year, subject to board approval. The recommendation is among ten put forward by an agency working group on exam flexibility.

On that note enjoy your long weekend, I will be back on Tuesday!

October 7, 2016 at 9:24 am Leave a comment

Would Information Sharing Act help CUs?

One of my faithful readers emailed yesterday and asked me what I thought of the cyber security legislation that passed the Senate earlier this week. So here goes:  Quite simply any action that shows Congress is waking up to the need for federal  action aimed at creating a more robust cyber security infrastructure   is a step in the right direction, but since  the core challenge of making merchants more responsible for how they protect consumer information remains.  credit unions will see little direct or immediate benefit if this legislation becomes law.

Senate bill 754, The Cyber Security Information  Sharing Act of 2015,  passed with strong bipartisan support and takes some important steps  designed to make it easier for the government and the private sector to respond to and deter cyber threats.  For example Homeland Security, the Director of National Intelligence, the Department Of Defense and the Justice Department would have to promulgate procedures for the “timely sharing” of  classified cyber threat indicators. The bill would also setup a framework that  would allow  companies to voluntarily monitor  each other’s information systems.  Companies that exercise these powers are shielded from lawsuits, including those alleging   violations of antitrust law.

Now all of this might be real important stuff for fortune 500 companies, including the largest banks that are such tempting targets for hackers, but none of it addresses the concerns of credit unions wondering why merchants don’t have to pick of the tab  for data breaches caused by merchant negligence.We not only need more information sharing but we also need to make sure that all businesses have to adopt common sense  procedures to protect the personal information of consumers.

The bill also makes the civil libertarian in me that much more concerned about how easy we are making it for the government and business to spy on us in the name of national security but that goes beyond the scope of this post or the concerns of credit unions.  Stay dry out there.

Here is a link to information about the bill.

http://thomas.loc.gov/cgi-bin/bdquery/D?d114:1:./temp/~bdtyR9:@@@R|/home/LegislativeData.php|

 

October 29, 2015 at 8:50 am 2 comments

Why Don’t People Care About Cyber Security?

There are an increasingly large number of examples of  America  changing from a “Can do” to a “Can’t do” or “Won’t do” nation.

The latest example is the news that “more than twice as many taxpayer accounts were hit by identity thieves than the agency first reported, with hackers gaining access to as many as 330,000 accounts and attempting to break into an additional 280,000.” (WSJ http://www.wsj.com/articles/irs-says-cyberattacks-more-extensive-than-previously-reported-1439834639).  Many of you will undoubtedly deal with  the consequences of these breaches first hand.

The IRS’s underbelly is its system for accessing consumer tax information online.   We learned earlier this year that hackers had broken into the system and gained access to taxpayer info but what we learned yesterday was that the break in was much more extensive and far-reaching than the IRS first believed.  The type of information the hackers gained access to is ideal for establishing a fake identity. It potentially includes   line-by-line tax return information and income reported to the IRS.

(The IRS points out on its website that the break ins underscore the need for consumers to “think twice before posting publicly personal or financial information on social media or the Internet.”  As someone who proudly doesn’t have a Facebook account this last bit of advice makes sense to me but I’ve given up thinking that people can be kept from informing  hundreds of their closest friends  about how they are getting through their day.)

It used to be that when America was confronted with great challenges it confronted them head on.  I’m thinking of the Erie Canal, WW II and the Race to the Moon just to name a few. In contrast, where is the resolve to truly confront cybersecurity threats? According to Frank Abagnale  Jr. of “Catch Me If You Can” fame, who spoke at the Association’s convention a few months ago,  there are things that the government could do but isn’t doing to better protect the American public’s information.

And there is much more going on here than bureaucratic inertia.    Congress still hasn’t passed meaningful cybersecurity legislation that breaks down barriers to information sharing and makes all industries, not just financial service providers, legally responsible for guarding against cyber theft.

Meanwhile the American public seems indifferent to the chronic invasion of its privacy by hackers.  If terrorists compromised our computer networks as successfully as the Chinese have there would be calls for sanctions, Congressional hearings would be held and presidential candidates would be questioned about more important things than what they think of  Donald Trump.  Stories about cyber break-ins hardly get noticed for more than a day or two.

Cyber crime makes every business less efficient and more expensive to run.  It makes every consumer vulnerable to theft and makes us all less safe.  Can it be prevented? Not entirely but it certainly can be deterred.

In the meantime regulators continue to prod banks and credit unions to prioritize cybersecurity even though the best efforts of every financial institution won’t solve a thing in the absence of a comprehensive government led defense to protect our personal information.

So it goes.

August 18, 2015 at 9:27 am 1 comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 653 other followers

Archives