Posts tagged ‘data breach’

Sonic Case Demonstrates How Merchants Put Consumer Privacy At Risk

For those of you in Washington this week, a recent decision in the Sonic data breach litigation underscores why merchants need to comply with baseline data breach prevention standards. On September 7th a group of credit unions survived Sonic’s motion to dismiss claims that its negligence facilitated yet another massive data breach resulting in credit unions costs, such as the need to reissue cards, for which Sonic should be responsible (SONIC CORP. CUSTOMER DATA SECURITY BREACH LITIGATION).  And let’s not forget the thousands of consumers who were inconvenienced as a result of Sonic’s alleged negligence. 

Between April and October of 2017, hackers used malware installed at 762 Sonic restaurants to steal transaction payment card data. Franchises generally were allowed to use two different types of processing systems. The hacks occurred in franchises that use the PAYS system to process transactions. Sonic facilitates payments by setting up a VPN to facilitate remote access to the system. The VPN system was set up so poorly that it allowed hackers to access unencrypted payment card data. The list of defects reads like a “What Not-To-Do List” when it comes to protecting customer data:

  • They did not use multi factor identification to authorize access to the system.
  • The stolen data was not always subject to end-to-end encryption.
  • Sonic even facilitated the storing of unencrypted data on business servers.

If a New York State bank or credit union treated data this way, it would be in violation of several provisions of New York State’s cyber security regulations which mandate that sensitive data be encrypted when it is in transit and that it be adequately protected when it is being held on its server. Furthermore, a failure to use multi factor identification has already resulted in fines under the framework. Even if you do not have the good fortune of living in New York, the Gramm Leach Bliley Act and a host of regulations outlaws this type of conduct for financial institutions. 

In contrast, there is no corresponding regulatory framework for businesses like Sonic; the only way to hold Sonic and similar companies accountable is through lawsuits. The problem is that not all states give financial institutions the right to sue merchants for purely economic harm. In short, we continue to have a hodge-podge of regulatory enforcement which incentivizes merchants to under-invest in their cybersecurity infrastructure.

September 15, 2021 at 9:15 am Leave a comment

How Much Legal Risk Does Accidentally Exposing Personal Information Put Your CU In?

The Court of Appeals for the Second Circuit, which has jurisdiction over credit unions in New York State, recently provided guidance to businesses that face potential data breaches which of course is every credit union employing someone reading this blog. It also took the opportunity to explain how much legal risk the office luddite (you know the person who continually responds to emails instructing her to buy gift certificates with company money) is putting your credit union in.

As my hardcore faithful readers know, a key concept to understand in evaluating your credit union’s legal risk is standing. The very basic idea is that one of the things that someone is seeking to sue you in federal court has to show is that they have been injured enough to justify being compensated by a court for the harm allegedly caused by your actions. While this issue is easy enough to figure out, in the case of a car accident or property damage, it is much more difficult to determine how much harm there has been in the context of data breaches.

In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310 (2d Cir. 2021) the court heard an appeal from employees of a company who are part of a group of individuals whose personally identifiable information was exposed when a spreadsheet was sent to 65 fellow employees. They wanted to bring a class action lawsuit against their employer based on this negligent mishap. They couldn’t point to specific instances of the exposed information being misused, but they feared that it might be and wanted the company to pay for detection services.

The Second Circuit used these facts to address when potential future harm caused by a data breach triggers legal liability. It held that courts should consider the following factors in evaluating harm. Remember that these are the same factors your insurance company will be considering when pricing your data breach policies and that you should be discussing with your outside counsel the next time one of your employees mistakenly exposes personally identifiable information to third-parties;

(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

In the context of this case the court determined that our would-be class action plaintiffs could not establish standing. The personally identifiable information was exposed because of a mistake as opposed to the intentional acts of a hacker; there was no evidence that the compromised data had been misused and some but not all of the information was not particularly sensitive. It included, for example, phone numbers and dates-of-hire.

As for the fact that some of the victims felt the need to pay for services to monitor their accounts, the court held that self-inflicted harm cannot provide the basis for standing in federal courts.

On that note, grab another cup of coffee and continue going through your email secure in the knowledge that honest mistakes won’t necessarily result in a successful lawsuit against your credit union.

May 6, 2021 at 9:49 am Leave a comment

CFBP Extends QM Compliance Deadline

The increasingly drawn out fate of regulations creating a new definition of what qualifies as a Qualified Mortgage took another turn this week when the CFPB announced that it was extending the deadline for compliance from July 1,, 2021 until October 1, 2022.  This is good news especially for those of you intending to sell mortgages to the secondary market.  As I explained in a recent blog, the GSE recently put its partners on notice that without a change to the deadline it would not accept for purchase mortgages which qualify under the existing QM patch with its higher debt-to-income parameters. 

The preamble to this announcement includes this graph demonstrating just how dependent the housing market remains on access to the GSEs even as private label securitization continues to recover.

Second Circuit Examines Standing In Data Breach Cases

I will be delving into this more extensively next week but I did not want this week to end without informing my faithful readers that the U.S. Court of Appeals for the Second Circuit has decided an important case in which it explains the circumstances under which individuals whose data has been exposed to theft by unauthorized third parties can bring lawsuits in New York federal courts.  The case is McMorris v. Carlos Lopez & Assocs., LLC .

On that note, enjoy your weekend.  Yours truly will be paying for his first haircut and shave in about 16 months.

April 30, 2021 at 9:58 am Leave a comment

When should you report a data breach?

That is the question I hope you all have policies and procedures to answer.  A recent enforcement action by New York’s Department of Financial Services (DFS) underscores that the Department is deadly serious about ensuring that institutions subject to its licensing requirements comply with the State’s cutting edge cyber security regulations.  For those of you not subject to New York State’s dictates, keep in mind that New York State’s regulations are becoming a national model. 

In the matter of Residential Mortgage Services, Inc., DFS announced a $1.5 million fine against a mortgage license company headquartered in Maine that was licensed to do mortgages in New York State.  As part of a routine audit, the Department discovered that the mortgage banker was subject to a data breach it had not disclosed to the State.  It also did not have adequate policies and procedures in place to do the type of periodic risk assessments that New York State requires under these regulations.  The breach DFS was concerned about involved an employee who notified her IT team, but only after she had given a hacker posing as a vendor access to her email.  The employee handled sensitive mortgage information.

Should the company have notified DFS?  Under 23 NYCRR 500.17, covered entities are required to report cybersecurity events within 72 hours.  A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.  This settlement underscores that when in doubt you should report a breach.  However, this is an incredibly broad definition since any IT person will tell you that even the smallest of businesses is bombarded with attempted break-ins all the time.  In the accompanying Q and A, DFS explains that “notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.”  This explanation of course gives you little discretion in the event that a data breach is successful. 

March 8, 2021 at 9:44 am Leave a comment

New York to LIBOR’s Rescue!

The rulers of the financial world typically frown on the state getting involved with their business. But when it comes to LIBOR, you can hear a huge sigh of relief emanating from Wall Street this morning. As readers of this blog know, LIBOR is a discredited benchmark that has been the gold standard for contracts that use indexes. In the credit union world, LIBOR has been used by some for adjustable rate loans, and in the world of high finance, it has been used for complicated derivatives. 

Despite the fact that readers of this blog have known for years that LIBOR would come to an end, perhaps as early as this year, apparently some of the folks on Wall Street haven’t gotten around to adjusting to this new reality. But they’re in luck, because tucked away in the Governor’s Article VII budget language is a provision which will amend New York State law to ensure the continued validity of contracts that rely on LIBOR adjustments even after it is obsolete. Since so many financial contracts are executed in New York, this news benefits the financial industry at large. 

Has the CU Industry Been Impacted by the Russian Cyber Attacks?

Since at least last March, the Russian government has engaged in the most comprehensive series of cyber attacks in the internet era. The attacks, which may still be ongoing – the scope of which is still being determined – raised the very real prospect that a foreign government hostile to the United States has infiltrated the inner workings not only of corporations, but of financial institutions as well. Unfortunately, despite a letter from CUNA on the potential scale of the problem, the NCUA has done little to inform credit unions about the extent to which NCUA itself may have been victimized and the steps credit unions should take to protect member data.

As Michael Ogden succinctly put it in this CU Times piece

“We do not know if the NCUA has been impacted. We do not know if the NCUA is conducting its own investigation or audit of its network systems. We do know the Treasury Department, the Commerce Department, the State Department, the Pentagon and the Energy Department have all been compromised. We do know from reports that other federal regulatory agencies have also been compromised.”

This is one of those situations where what you don’t know can hurt you. It’s time for some clarification from our regulator.

January 21, 2021 at 9:34 am Leave a comment

What Your Credit Union Needs to Know About Data Breaches

Reports of a major data breach seem to be becoming as much a fixture of the holiday season as chestnuts roasting on an open fire. While there has been no reported breach yet of a major legacy retailer – but there are still nine shopping days ‘til Christmas – surely news that the Russian government has engaged in one of the largest and most successful cyber hacks ever is enough justification to remind us of what our obligations are to our member’s data. Besides, the FDIC is going to consider a notice of proposed rulemaking on computer security incident notifications on its agenda today. Could similar consideration by the NCUA be close behind?

Is this an area of law that really needs to be updated? You bet it does. Most importantly, financial regulators including the NCUA haven’t made major changes to the area of data security reporting since 2005, which as today’s American Banker points out, was right around the time this thing called the iPhone began to be sold by Apple. The result of federal inaction has been a hodgepodge of state-level regulations and statutes which all seek to accomplish the same basic goals, but with important distinctions. 

This is an area that is crying out for federal action to bring uniformity. In the meantime, remember some of the key regulations and statutes to which you are subject. On the federal level, we have the 12 CFR Part 748 and Appendix B, which outlines the requirements of all credit unions to have a framework for assessing the scope of data breaches which compromise data privacy. As explained in this well-written opinion letter, “the overriding theme of NCUA’s guidance to credit unions in this area is risk assessment. When an incident occurs, the first step of any response program should be to assess the nature and scope of the incident and the likelihood of harm to the member whose information is affected. 12 C.F.R. Part 748, Appendix B, §II(A)(1)(a). Where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA.” If all we had were these GLB-inspired mandates, the sole obligation of financial institutions in this area would be to have a policy and procedure in place with regard to protocols for protecting member information. 

But in the absence of federal action in this area, almost all states have developed their own data breach requirements, and no state outside of California has been more aggressive than New York. Regardless of whether you are a federal or state chartered credit union, you are required to comply with Section 899-AA of New York’s General Business law, which lays out detailed requirements for informing members when their personal information has been compromised, as well as when to inform the Attorney General of a suspected data breach. Specifically, it states that in the event that a breach impacts 500 or more New York residents, the attorney general must be informed in writing by the liable entity within 10 days. This is in addition to New York’s Department of Financial Services cybersecurity regulations, which has its own set of requirements. On paper, the latter regulation just applies to state-licensed or chartered institutions. However, in the absence of federal guidelines, you must always be mindful of what a court would judge as “reasonable conduct” for your industry if your credit union was to be sued for negligently protecting member data. 

By the way – I haven’t even mentioned California’s data security requirements, which some New York credit unions have decided they should comply with. It’s a good thing that we have a functional and thoughtful Congress anxious to address these concerns.

December 15, 2020 at 9:52 am Leave a comment

CU Lawsuit Highlights an Issue We Can All Agree On

Despite the election, one area that Americans can usually find common ground on is the need for more protections for data security. Yesterday, a federal court in Ohio allowed a class-action lawsuit brought against the Sonic restaurant chain by, among others, American Airlines FCU, Arkansas FCU and Redstone FCU to go forward. When you’re talking to those newly minted Congressional members following the election, Sonic Corp. Customer Data Breach Litigation is the best example I’ve seen on why Congress needs to implement uniform data security standards.  

The case involves a data breach that occurred over a six-month period because Sonic used antiquated technology. Most importantly, its point of sale terminals were not required to have encryption technology, giving hackers easy access to card information for several months. That encryption has, of course, become common practice for many institutions and is a required component of the data protection plans for all New York State Chartered and licensed institutions. 

The case is also instructive for another reason. One of the key issues in data breach litigation continues to be determining who is actually injured by a data breach. In seeking class-action status, the financial institutions argued that the class of plaintiffs eligible to sue Sonic should include “All banks, credit unions, financial institutions, and other entities in the United States that received an alert of a potentially compromised account from any card brand in the Sonic Data Breach.”  The court slightly modified this class, allowing the suit to go forward for “all banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or reimbursed a compromised account from any card brand involved with the Sonic Data Breach.” In contrast, merchants continue to argue that only persons who can demonstrate that their data was actually stolen by hackers should be able to sue. 

In short, this case is the latest example of how merchants want to benefit from card technology, but make financial institutions responsible for all the risks and costs associated with its use. 

New York Extends Remote Notarization Authorization

Earlier this week, the Governor’s office issued another extension of its remote notary authorization. This is welcome news for those of us requiring notarization for documents – especially as COVID-19 cases begin to surge again across the country.

November 5, 2020 at 9:22 am Leave a comment

Once Upon A Time At Your CU. Are you Ready To Respond To The Next Data Breach?  

One of these days you’re going to grab some coffee, turn on your computer and start your work day and, while dutifully reading this blog, get an email from your IT person informing you that your credit union has been hacked.  You don’t know exactly how much data has been exposed, but there’s a pretty good chance a third party gained access to your member’s personally identifiable information.

You spring into action by pulling out your credit union’s Data Breach Protocols, which will of course have just been updated a few months ago as part of the credit union’s on-going planning. The Data Breach Response Team is called into action and everyone knows exactly what to do.   Of course, you quickly want to nail down exactly what has happened.  So even before you contact your outside counsel, you reach out to a third party information security team that you know has experience dealing with data breaches.

Since contracts are always important and closely adhered to, your outside counsel quickly drafts a contract for the IT team and it quickly gets to work.  Within days the IT consultant reports back with a written document describing what happened and why, some of which doesn’t paint the credit union in the best light.  You contact your regulators and notify your members that a data breach has occurred and quicker than the coronavirus can spread through a bunch of drunk college kids on Spring Break, the first class-action lawsuit has been filed against your credit union.

The scenario I just described is similar to the one confronted by Capital One when it discovered it was hacked in 2019.  In re: Capital One Consumer Data Security Breach LitigationCapital One Ordered To Release Report Of Massive Data Heist OPINION PDF

My guess is that, while many of you have at least thought about the issues raised by the above hypothetical, you probably haven’t given much thought to the issue of attorney-client privilege in general or attorney work product in particular.  It’s time for that to change.  Capital One is now battling to keep a report produced by an outside IT team exempt from discovery from attorneys suing it over the data breach.  It has lost the first round in its battle which is an unfortunate development for anyone who works to protect financial institutions.

Attorney Work Product refers to work performed by attorneys or their agents in response to or in anticipation of litigation (Federal Rule of Evidence 502 and New York CPLR 3101).  This seemingly straightforward definition is not as easy to apply as it should be.  For instance, in Capital One’s case a third party IT report was done at the request of the bank’s outside counsel and its results were given first to the law firm.  Nevertheless, the court concluded that the report would have been produced with or without the threat of litigation.  It pointed out for example that the work being performed by the IT team was similar to work it was performing on behalf of the bank pursuant to a contract that was entered into before anyone knew of a data breach.  In addition, the report could be used to comply with regulatory requirements of which the bank had to comply regardless of the lawsuit.  The bank is appealing.

Although the scope of and deference given to attorney-client communications varies by state, the case underscores the importance of considering how best to keep attorney communications private in your data response plan.  A good data breach response has to allow for frank discussions and analysis.  This is precisely why the attorney-client privilege exists.  Mistakes are going to happen.  The consequences of these mistakes will be exacerbated if attorneys aren’t free to give the most straightforward advise they can.

June 17, 2020 at 11:18 am Leave a comment

Are you prepared for the next pandemic?

I certainly don’t want anyone to overreact, but as I was getting ready to go this morning, I listened to the news that the coronavirus is continuing to spread. In addition, with an incubation period of 14 days, an epidemiologist interviewed on Bloomberg predicted that as many as 100,000 people could ultimately be infected.

It’s time to start dusting off those continuity plans addressing what steps your credit union would take in the event of a wide-spread virus. Here are a couple of good places to start:

In 2006, there was wide-spread fear of an influenza pandemic. The financial regulators, including the NCUA, responded with this inter-agency statement on Pandemic Planning.

In 2014, we had the Ebola Outbreak. One of the most helpful analyses of the legal issues confronted at the time by employers was this blog post from Bond Schoeneck & King, which addressed issues such as the extent to which employers could inquire about employees’ travel plans.

There are also regulations you are already subject to. For example, Federal law requires employers to provide employees a place of employment free of “recognized hazards that are causing or are likely to cause death or serious physical harm” to employees (29 USCA section 654). Consistent with this obligation OSHA issued this guidance during the flu epidemic.

Now I want to stress that all of these outbreaks are unique and raise different issues. Furthermore, I’m not aware of any formal regulatory requirements that have been imposed on financial institutions as a result of the coronavirus. But as I like to say, I am paid to be paranoid, and now is a good time to start answering the questions that you could be asked if this virus spreads.

Another day, another data breach

In the immortal words of the second greatest American entertainer of the 20th Century, Ray Charles, “Here we go again.” KrebsonSecurity is reporting that convenience store chain Wawa has been victimized by a nine month data snatching security breach. This is based on news that the bad guys are already offering to sell personally identifiable information on the dark web. Rather than go through the usual litany of complaints I think I’m just going to let Ray Charles finish out the blog with one of my favorite songs:

I’ve been there before
And I’ll try it again
But any fool knows
That there’s no way to win
Here we go again
She’ll break my heart again
I’ll play the part again
One more time







January 29, 2020 at 9:32 am Leave a comment

Another Day, Another Data Breach

As faithful readers of the blog know, when I start with a sentence reporting the latest data breach uncovered by Krebsonsecurity, it means that a massive number of credit and debit cards have once again been stolen by hackers. According to the website, a popular underground store selling credit and debit cards is offering to sell more than 5.3 million new accounts belonging to cardholders from 35 states. It now appears that this treasure trove of information was stolen from the Hy-Vee Supermarket chain, which apparently has hundreds of stores in the Midwest.

On August 14, the company announced that because it “takes the security of payment card data very seriously,” it wanted to make its customers aware of an investigation it was conducting into a “security incident” that focused on payments made at affiliated gas stations, restaurants, and supermarkets.

Since the supermarket chain is based in the Midwest, hopefully this will not impact your members; it does, however, give me the opportunity to once again point out obvious points that so many of our policy makers refuse to acknowledge or act on.

  • When are we going to stop calling the black market for credit and debit card information a black market? On a practical level, people can go onto the web and sell this information with virtual impunity. In reality, it’s become a de facto secondary market. Consumers and businesses are paying the price.
  • The legal system works best when the parties most responsible for a given injury bear the burden of the cost associated with their mistake. By this standard, liability for data breaches remains woefully inadequate. This breach will undoubtedly spark several lawsuits and result in a large multimillion dollar settlement, but so long as consumers have to prove not only that their data was exposed to a data breach, but that their data actually was used in a way that cost them money, consumers will have a difficult time making businesses pay for the harm they are inflicting. As for financial institutions, courts and legislators have to stop viewing data breaches as contract violations as opposed to torts for which there are wide ranging damages.
  • Of course, all of this could be resolved by Congress, but it won’t be; at least not in the near future.

Wildcard Legislation Sent to Governor

Late last week, legislation was sent to the Governor to extend the Department of Financial Services’ wildcard powers for banks and credit unions. This is absolutely critical legislation which we expect the Governor to approve. Without action by the Governor, this power expires in September.

Originally passed in 1996 to make the state banking charter more competitive with its federal counterpart, the law has applied to credit unions since 2007. The basic idea is that state chartered financial institutions can apply to the Department of Financial Services for permission to exercise a power that federally chartered institutions have, but that state chartered credit unions do not. In recent years, the Department of Financial Services has utilized its authority to help both banks and credit unions, and so doing, has made the state charter more attractive to federal credit unions.

The Association has of course signaled its support of the measure and we will tell you when the Governor takes action on the bill.

August 27, 2019 at 9:31 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers