Posts tagged ‘data breach’

Are you prepared for the next pandemic?

I certainly don’t want anyone to overreact, but as I was getting ready to go this morning, I listened to the news that the coronavirus is continuing to spread. In addition, with an incubation period of 14 days, an epidemiologist interviewed on Bloomberg predicted that as many as 100,000 people could ultimately be infected.

It’s time to start dusting off those continuity plans addressing what steps your credit union would take in the event of a wide-spread virus. Here are a couple of good places to start:

In 2006, there was wide-spread fear of an influenza pandemic. The financial regulators, including the NCUA, responded with this inter-agency statement on Pandemic Planning.

In 2014, we had the Ebola Outbreak. One of the most helpful analyses of the legal issues confronted at the time by employers was this blog post from Bond Schoeneck & King, which addressed issues such as the extent to which employers could inquire about employees’ travel plans.

There are also regulations you are already subject to. For example, Federal law requires employers to provide employees a place of employment free of “recognized hazards that are causing or are likely to cause death or serious physical harm” to employees (29 USCA section 654). Consistent with this obligation OSHA issued this guidance during the flu epidemic.

Now I want to stress that all of these outbreaks are unique and raise different issues. Furthermore, I’m not aware of any formal regulatory requirements that have been imposed on financial institutions as a result of the coronavirus. But as I like to say, I am paid to be paranoid, and now is a good time to start answering the questions that you could be asked if this virus spreads.

Another day, another data breach

In the immortal words of the second greatest American entertainer of the 20th Century, Ray Charles, “Here we go again.” KrebsonSecurity is reporting that convenience store chain Wawa has been victimized by a nine month data snatching security breach. This is based on news that the bad guys are already offering to sell personally identifiable information on the dark web. Rather than go through the usual litany of complaints I think I’m just going to let Ray Charles finish out the blog with one of my favorite songs:

I’ve been there before
And I’ll try it again
But any fool knows
That there’s no way to win
Here we go again
She’ll break my heart again
I’ll play the part again
One more time







January 29, 2020 at 9:32 am Leave a comment

Another Day, Another Data Breach

As faithful readers of the blog know, when I start with a sentence reporting the latest data breach uncovered by Krebsonsecurity, it means that a massive number of credit and debit cards have once again been stolen by hackers. According to the website, a popular underground store selling credit and debit cards is offering to sell more than 5.3 million new accounts belonging to cardholders from 35 states. It now appears that this treasure trove of information was stolen from the Hy-Vee Supermarket chain, which apparently has hundreds of stores in the Midwest.

On August 14, the company announced that because it “takes the security of payment card data very seriously,” it wanted to make its customers aware of an investigation it was conducting into a “security incident” that focused on payments made at affiliated gas stations, restaurants, and supermarkets.

Since the supermarket chain is based in the Midwest, hopefully this will not impact your members; it does, however, give me the opportunity to once again point out obvious points that so many of our policy makers refuse to acknowledge or act on.

  • When are we going to stop calling the black market for credit and debit card information a black market? On a practical level, people can go onto the web and sell this information with virtual impunity. In reality, it’s become a de facto secondary market. Consumers and businesses are paying the price.
  • The legal system works best when the parties most responsible for a given injury bear the burden of the cost associated with their mistake. By this standard, liability for data breaches remains woefully inadequate. This breach will undoubtedly spark several lawsuits and result in a large multimillion dollar settlement, but so long as consumers have to prove not only that their data was exposed to a data breach, but that their data actually was used in a way that cost them money, consumers will have a difficult time making businesses pay for the harm they are inflicting. As for financial institutions, courts and legislators have to stop viewing data breaches as contract violations as opposed to torts for which there are wide ranging damages.
  • Of course, all of this could be resolved by Congress, but it won’t be; at least not in the near future.

Wildcard Legislation Sent to Governor

Late last week, legislation was sent to the Governor to extend the Department of Financial Services’ wildcard powers for banks and credit unions. This is absolutely critical legislation which we expect the Governor to approve. Without action by the Governor, this power expires in September.

Originally passed in 1996 to make the state banking charter more competitive with its federal counterpart, the law has applied to credit unions since 2007. The basic idea is that state chartered financial institutions can apply to the Department of Financial Services for permission to exercise a power that federally chartered institutions have, but that state chartered credit unions do not. In recent years, the Department of Financial Services has utilized its authority to help both banks and credit unions, and so doing, has made the state charter more attractive to federal credit unions.

The Association has of course signaled its support of the measure and we will tell you when the Governor takes action on the bill.

August 27, 2019 at 9:31 am Leave a comment

Why This Blog Should Scare You

For the last couple of days, I have been gobbling up information on a data breach involving First American Financial Corporation data breach. In my ever so humble opinion, this is more than your average data breach. It has the potential to be a watershed moment, particularly for those of you who handle mortgages, and underscores why your credit union’s top compliance priority should be making sure you have an adequate framework in place for appropriately evaluating your vendor relationships.

For those of you who haven’t heard, on May 24th Krebsonsecurity broke the news that First American Financial Corp effectively exposed 885 mortgage documents to public access. According to Krebs, the digitized information included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images and was organized in a way that made searching through the documents user-friendly.

Yesterday I read through this complaint in which a Pennsylvania resident is seeking to bring a class-action lawsuit against the company for among other things, violating California law and breach of contract. Finally, Krebs is reporting that New York State is investigating the company in what may be the first high-profile test of its ability to impose its cybersecurity regulations on out-of-state actors. All this is coming at a time when regulators stand to be placing greater pressure at least on bigger credit unions to ensure that third-party vendors are contractually obligated to meet very specific data protection requirements. Here’s why I think this is such a big deal:

  • Although the lawsuit is being brought against First American, it underscores just how vulnerable financial institutions are to the mishaps of vendors. Many credit unions and banks have relationships with specific title insurance companies and it isn’t much of a stretch to see how these kinds of mistakes could directly impact their consumer relationships.
  • If I were a relatively large federal credit union, I would be asking myself if it is prudent to comply with New York State’s cybersecurity regulations even though they are not directly applicable. In the absence of federal action, New York will be aggressively seeking to impose its requirements any time it can. Furthermore, the lawsuit alleges that the company did not take basic steps, such as performing periodic penetration testing to see how vulnerable its date was to third-parties. Had they used New York’s regulations as a defacto standard, this oversight would have been avoided. This is certainly a discussion that should involve your attorneys and compliance people.
  • Think long and hard not only about the language you put in your contracts to obligate third-party providers to meet data protection standards but also what steps you are taking to demonstrate that those standards are being complied with. Start by doing an analysis of what vendors have the most information and work back from there.
  • Once again, this case will test the legal issue of standing. I haven’t seen any proof yet that a person has been hurt by this breach beyond the fact that their personally identifiable information was exposed like a couch your neighbor wants to get rid of and puts on the sidewalk. For me this should be enough to prove standing but the standard annunciated by the Supreme Court in Spokeo puts this very much in doubt.
  • Finally, this is yet another example of why we need federal action now. Yesterday the legislature held a cybersecurity hearing. I don’t blame the state for acting but I do believe that ultimately this is an issue best dealt with on the federal level where a single set of rules and regulations can be imposed.

Here is an excellent blog I read on the subject yesterday.

June 5, 2019 at 9:20 am Leave a comment

4 Lessons from a “Massive” Mortgage Data Breach

The website TechCrunch has caused quite the stir within the mortgage industry since it reported in late January on a massive mortgage data breach. Although the web is still being untangled it appears than millions of pages of mortgage documents containing personally identifiable information were left on an unencrypted server for at least two weeks. A game of legal hot potato has already begun. Many of the mortgages were originated by the nation’s largest financial institutions but since so many of the mortgages were sold and so much of the information ended up being in the possession of third parties these lenders have already said that they are not to blame. This is shaping up as the highest profile mortgage data breach and it underscores crucial gaps in data security for both consumers and lenders.

First, it is not enough to hold vendors accountable for appropriate data standards but also the vendors of vendors. For instance, in this case, the source of the exposed mortgage documents was traced to a Texas based data and analytics company Ascension. But, Ascension says the real villain is one of its vendors, OpticsML, a document management startup in New York. I’m going out on a limb here and say that OpticsML better be able to demonstrate to NYS regulators that they were complying with New York’s Cybersecurity regulations.

Secondly, there’s the real basic issue of just how much information all mortgage lenders have in their possession. Everyone should have base line policies and procedures detailing how email is to be handled, use passwords and encryption and make sure that employees are held accountable if they repeatedly fall victim to phishing mishaps. Password management and phishing both played a part in this attack. To be fair, just how much care is enough care when it comes to data security in an age of email is still an unsettled issue for the courts. You have to balance safety against consumer access.  But if you are not taking common sense measures to protect your sensitive data and adhering to relevant laws, get ready to write a check to your outside counsel.

Thirdly, what about the contract? After all, any good contract should make the party with whom you are contracting responsible for the conduct of its vendors. What this situation underscores is that this type of contractual liability only goes so far. Think about how many parties can have access to a consumer’s data over the life of mortgage loan, starting with the original bank underwriters and originators to secondary market purchasers, to mortgage servicers, to securitized to data storage and analytic companies. Any lapse in the chain undermines everything.

Fourth, such a broad scope of responsibilities can only be addressed through broad federal legislation. It is no consolation to the thousands of consumers whose personal information has been compromised that the financial institutions with whom they dealt adhere to rigorous data security standards if other parties simply ignore or are not subject to the same standards. It’s time for Congress to get the hint.

February 13, 2019 at 8:45 am Leave a comment

DFS Agrees To Consent Order With Equifax

Image result for data breaches equifaxYesterday, the New York’s Department of Financial Services announced that had joined several other state regulators in agreeing to a consent agree with Equifax over its shoddy data protection protocols which lead to the historic 2017 data breach of the credit reporting agency.

Under the agreement, Equifax’s board must put safeguards in place which any financial institution should be embarrassed for not having put in place years ago. For example, the board or committee approved by it must approve and annually review an Information Security Policy; must receive annual reports on its Information Security Management; and improve board minutes to capture board actions reviewing necessary information.

On a constructive note, if I was on a board or in senior management at a credit union, I would review this Order. Don’t get me wrong, I’m not saying your credit union needs to have the same level of protections as a company as large and sophisticated as Equifax does, but your credit union should have regularly updated cybersecurity policy and procedures with staff assigned and held accountable for ensuring that they are properly implemented. If your credit union doesn’t have this framework, it is whistling past the graveyard.

On a more negative note, this is yet another example of how the big guys get away with relative slaps on the wrist for conduct that would probably lead to the emergency merger of a smaller credit union or community bank for that matter. I understand that some double standards are inevitable but unless Congress makes sure that all institutions are subject to the type of rigorous information security protocols with which banks and credit unions already must comply, American consumers will continue to be at a needlessly high risk of having personal information stolen and used against them.

I am getting off my high horse now.

Visa, Mastercard Close to Interchange Fee Settlement…Again

Bloomberg News and the Wall Street Journal are reporting that Visa and Mastercard are close to settling with 13-year-old class-action lawsuit brought against them by merchants claiming that they exercise monopoly power to inflate interchange fees. Under the agreement, Visa, Mastercard and banks would pay merchants about $6.5 billion.

If you’re scratching your heading, swearing that you thought this lawsuit was already settled, you’re not losing your mind. An earlier $5.7 billion settlement was rejected by the Court of Appeals for the 2nd Circuit in 2016. The new settlement also makes it reportedly easier for merchants who opted out of the settlement to sue in the future. In other words, let’s assume that as sure as the sun rises in the east and sets in the west, as long as there are banks, merchants, credit cards and debit cards, there will be anti-trust litigation in some form or another.

On that note, have a great weekend.

June 29, 2018 at 8:52 am Leave a comment

Another Day, Another Massive Data Breach

Equifax, one of the big three credit reporting agencies, yesterday disclosed a “massive data breach” that may impact half the U.S. population. The breach includes the compromise of social security numbers, birth dates and up to 290,000 credit card numbers.

Let’s face it. It’s the same old song with a different tune. This is yet another example of why we need national standards and a national framework for dealing with data breaches and their consequences. In fairness to Equifax, it’s too early to know if the breach was a result of mistakes on its part or simply the end result of some talented hacking carried out in spite of adherence to prudent safeguards. But when I hear Equifax’s CEO explain that he is “deeply disappointed” by the break in, my guess is a lawsuit isn’t too far away.

Unfortunately, it’s far from clear precisely how much liability Equifax will face even if it was negligent in safeguarding this sensitive information. In 2016, the Supreme Court held in Spokeo, Inc. v. Robbins 136 S.CT. 1540 (2016) that in order for a plaintiff to have standing to sue in Federal court, the harm caused must be “concrete and particularized and actual or imminent, not conjectural or hypothetical.”

The standard has been a particularly tricky one for the courts to deal with in the context of data breaches. In a decision in August, Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), the U.S. Court of Appeals for the D.C. Circuit held that the lawsuit against health insurer, Care First, Inc. could go forward. It ruled that so long as customers could prove that their names, birth dates and email addresses were compromised, they were being harmed by the imminent risk of a data breach. Similar logic was adopted by the 3rd Circuit In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017)

However, not all circuits agree. In re SuperValu, Inc., No. 16-2378, 2017 WL 3722455, at *1 (8th Cir. Aug. 30, 2017), the 3rd Circuit Court ruled that consumers whose information may have been compromised by a data breach, lacked standing to sue the company. A reason that a mere possibility that an individual’s data may be used against them does not constitute enough harm to bring a lawsuit.

My guess is, the Supreme Court will take up this issue, maybe as early as this upcoming term. In the meantime, at some point Congress will come to its senses and pass meaningful comprehensive data breach protection legislation…and people say I’m cynical.

NCUA Releases Second Quarter Performance Data

The industry received its second quarter report card. It continues to show strong performance by the credit unions in the aggregate but it also continues to show that if you’re not big, there’s a good chance that your credit union is struggling. On that cynical note, I expect you all to enjoy your weekend and do nothing on Sunday but watch football. I hope to see some of you Monday at our annual Legal and Compliance Conference.


September 8, 2017 at 8:48 am 2 comments

New York Experiences Sharp Increase in Data Breach Reports

More than 1.6 million New Yorkers were victimized by data breaches in 2016 as the state saw a 60% increase in the number of data breaches and a tripling of the number of exposed records according to a report released last week by Attorney General Eric T. Schneiderman.  Equally troubling, the most frequently stolen information was social security and financial data, meaning that we are likely to experience the consequences of these breaches for years to come.

Interestingly, according to the AG, although hacking remained the leading cause of data breaches (40%); in 2016, “employee negligence, which consists of a combination of inadvertent exposure of records, insider wrongdoing, and the loss of a device or media, nearly tied hacking by accounting for approximately 37% of breaches.”

The AG’s findings are based on required notifications of data breaches mandated by §899-aa of New York Business Law.  One quick take-away:  the report’s findings underscore why your credit union should have clearly delineated policies about employees bringing their own devices to work, as well as guidelines about which employees are going to get access to smart phones and company equipment.

March 27, 2017 at 7:30 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 653 other followers