Posts tagged ‘data breach’

Why This Blog Should Scare You

For the last couple of days, I have been gobbling up information on a data breach involving First American Financial Corporation data breach. In my ever so humble opinion, this is more than your average data breach. It has the potential to be a watershed moment, particularly for those of you who handle mortgages, and underscores why your credit union’s top compliance priority should be making sure you have an adequate framework in place for appropriately evaluating your vendor relationships.

For those of you who haven’t heard, on May 24th Krebsonsecurity broke the news that First American Financial Corp effectively exposed 885 mortgage documents to public access. According to Krebs, the digitized information included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images and was organized in a way that made searching through the documents user-friendly.

Yesterday I read through this complaint in which a Pennsylvania resident is seeking to bring a class-action lawsuit against the company for among other things, violating California law and breach of contract. Finally, Krebs is reporting that New York State is investigating the company in what may be the first high-profile test of its ability to impose its cybersecurity regulations on out-of-state actors. All this is coming at a time when regulators stand to be placing greater pressure at least on bigger credit unions to ensure that third-party vendors are contractually obligated to meet very specific data protection requirements. Here’s why I think this is such a big deal:

  • Although the lawsuit is being brought against First American, it underscores just how vulnerable financial institutions are to the mishaps of vendors. Many credit unions and banks have relationships with specific title insurance companies and it isn’t much of a stretch to see how these kinds of mistakes could directly impact their consumer relationships.
  • If I were a relatively large federal credit union, I would be asking myself if it is prudent to comply with New York State’s cybersecurity regulations even though they are not directly applicable. In the absence of federal action, New York will be aggressively seeking to impose its requirements any time it can. Furthermore, the lawsuit alleges that the company did not take basic steps, such as performing periodic penetration testing to see how vulnerable its date was to third-parties. Had they used New York’s regulations as a defacto standard, this oversight would have been avoided. This is certainly a discussion that should involve your attorneys and compliance people.
  • Think long and hard not only about the language you put in your contracts to obligate third-party providers to meet data protection standards but also what steps you are taking to demonstrate that those standards are being complied with. Start by doing an analysis of what vendors have the most information and work back from there.
  • Once again, this case will test the legal issue of standing. I haven’t seen any proof yet that a person has been hurt by this breach beyond the fact that their personally identifiable information was exposed like a couch your neighbor wants to get rid of and puts on the sidewalk. For me this should be enough to prove standing but the standard annunciated by the Supreme Court in Spokeo puts this very much in doubt.
  • Finally, this is yet another example of why we need federal action now. Yesterday the legislature held a cybersecurity hearing. I don’t blame the state for acting but I do believe that ultimately this is an issue best dealt with on the federal level where a single set of rules and regulations can be imposed.

Here is an excellent blog I read on the subject yesterday.

June 5, 2019 at 9:20 am Leave a comment

4 Lessons from a “Massive” Mortgage Data Breach

The website TechCrunch has caused quite the stir within the mortgage industry since it reported in late January on a massive mortgage data breach. Although the web is still being untangled it appears than millions of pages of mortgage documents containing personally identifiable information were left on an unencrypted server for at least two weeks. A game of legal hot potato has already begun. Many of the mortgages were originated by the nation’s largest financial institutions but since so many of the mortgages were sold and so much of the information ended up being in the possession of third parties these lenders have already said that they are not to blame. This is shaping up as the highest profile mortgage data breach and it underscores crucial gaps in data security for both consumers and lenders.

First, it is not enough to hold vendors accountable for appropriate data standards but also the vendors of vendors. For instance, in this case, the source of the exposed mortgage documents was traced to a Texas based data and analytics company Ascension. But, Ascension says the real villain is one of its vendors, OpticsML, a document management startup in New York. I’m going out on a limb here and say that OpticsML better be able to demonstrate to NYS regulators that they were complying with New York’s Cybersecurity regulations.

Secondly, there’s the real basic issue of just how much information all mortgage lenders have in their possession. Everyone should have base line policies and procedures detailing how email is to be handled, use passwords and encryption and make sure that employees are held accountable if they repeatedly fall victim to phishing mishaps. Password management and phishing both played a part in this attack. To be fair, just how much care is enough care when it comes to data security in an age of email is still an unsettled issue for the courts. You have to balance safety against consumer access.  But if you are not taking common sense measures to protect your sensitive data and adhering to relevant laws, get ready to write a check to your outside counsel.

Thirdly, what about the contract? After all, any good contract should make the party with whom you are contracting responsible for the conduct of its vendors. What this situation underscores is that this type of contractual liability only goes so far. Think about how many parties can have access to a consumer’s data over the life of mortgage loan, starting with the original bank underwriters and originators to secondary market purchasers, to mortgage servicers, to securitized to data storage and analytic companies. Any lapse in the chain undermines everything.

Fourth, such a broad scope of responsibilities can only be addressed through broad federal legislation. It is no consolation to the thousands of consumers whose personal information has been compromised that the financial institutions with whom they dealt adhere to rigorous data security standards if other parties simply ignore or are not subject to the same standards. It’s time for Congress to get the hint.

February 13, 2019 at 8:45 am Leave a comment

DFS Agrees To Consent Order With Equifax

Image result for data breaches equifaxYesterday, the New York’s Department of Financial Services announced that had joined several other state regulators in agreeing to a consent agree with Equifax over its shoddy data protection protocols which lead to the historic 2017 data breach of the credit reporting agency.

Under the agreement, Equifax’s board must put safeguards in place which any financial institution should be embarrassed for not having put in place years ago. For example, the board or committee approved by it must approve and annually review an Information Security Policy; must receive annual reports on its Information Security Management; and improve board minutes to capture board actions reviewing necessary information.

On a constructive note, if I was on a board or in senior management at a credit union, I would review this Order. Don’t get me wrong, I’m not saying your credit union needs to have the same level of protections as a company as large and sophisticated as Equifax does, but your credit union should have regularly updated cybersecurity policy and procedures with staff assigned and held accountable for ensuring that they are properly implemented. If your credit union doesn’t have this framework, it is whistling past the graveyard.

On a more negative note, this is yet another example of how the big guys get away with relative slaps on the wrist for conduct that would probably lead to the emergency merger of a smaller credit union or community bank for that matter. I understand that some double standards are inevitable but unless Congress makes sure that all institutions are subject to the type of rigorous information security protocols with which banks and credit unions already must comply, American consumers will continue to be at a needlessly high risk of having personal information stolen and used against them.

I am getting off my high horse now.

Visa, Mastercard Close to Interchange Fee Settlement…Again

Bloomberg News and the Wall Street Journal are reporting that Visa and Mastercard are close to settling with 13-year-old class-action lawsuit brought against them by merchants claiming that they exercise monopoly power to inflate interchange fees. Under the agreement, Visa, Mastercard and banks would pay merchants about $6.5 billion.

If you’re scratching your heading, swearing that you thought this lawsuit was already settled, you’re not losing your mind. An earlier $5.7 billion settlement was rejected by the Court of Appeals for the 2nd Circuit in 2016. The new settlement also makes it reportedly easier for merchants who opted out of the settlement to sue in the future. In other words, let’s assume that as sure as the sun rises in the east and sets in the west, as long as there are banks, merchants, credit cards and debit cards, there will be anti-trust litigation in some form or another.

On that note, have a great weekend.

June 29, 2018 at 8:52 am Leave a comment

Another Day, Another Massive Data Breach

Equifax, one of the big three credit reporting agencies, yesterday disclosed a “massive data breach” that may impact half the U.S. population. The breach includes the compromise of social security numbers, birth dates and up to 290,000 credit card numbers.

Let’s face it. It’s the same old song with a different tune. This is yet another example of why we need national standards and a national framework for dealing with data breaches and their consequences. In fairness to Equifax, it’s too early to know if the breach was a result of mistakes on its part or simply the end result of some talented hacking carried out in spite of adherence to prudent safeguards. But when I hear Equifax’s CEO explain that he is “deeply disappointed” by the break in, my guess is a lawsuit isn’t too far away.

Unfortunately, it’s far from clear precisely how much liability Equifax will face even if it was negligent in safeguarding this sensitive information. In 2016, the Supreme Court held in Spokeo, Inc. v. Robbins 136 S.CT. 1540 (2016) that in order for a plaintiff to have standing to sue in Federal court, the harm caused must be “concrete and particularized and actual or imminent, not conjectural or hypothetical.”

The standard has been a particularly tricky one for the courts to deal with in the context of data breaches. In a decision in August, Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), the U.S. Court of Appeals for the D.C. Circuit held that the lawsuit against health insurer, Care First, Inc. could go forward. It ruled that so long as customers could prove that their names, birth dates and email addresses were compromised, they were being harmed by the imminent risk of a data breach. Similar logic was adopted by the 3rd Circuit In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017)

However, not all circuits agree. In re SuperValu, Inc., No. 16-2378, 2017 WL 3722455, at *1 (8th Cir. Aug. 30, 2017), the 3rd Circuit Court ruled that consumers whose information may have been compromised by a data breach, lacked standing to sue the company. A reason that a mere possibility that an individual’s data may be used against them does not constitute enough harm to bring a lawsuit.

My guess is, the Supreme Court will take up this issue, maybe as early as this upcoming term. In the meantime, at some point Congress will come to its senses and pass meaningful comprehensive data breach protection legislation…and people say I’m cynical.

NCUA Releases Second Quarter Performance Data

The industry received its second quarter report card. It continues to show strong performance by the credit unions in the aggregate but it also continues to show that if you’re not big, there’s a good chance that your credit union is struggling. On that cynical note, I expect you all to enjoy your weekend and do nothing on Sunday but watch football. I hope to see some of you Monday at our annual Legal and Compliance Conference.


September 8, 2017 at 8:48 am 2 comments

New York Experiences Sharp Increase in Data Breach Reports

More than 1.6 million New Yorkers were victimized by data breaches in 2016 as the state saw a 60% increase in the number of data breaches and a tripling of the number of exposed records according to a report released last week by Attorney General Eric T. Schneiderman.  Equally troubling, the most frequently stolen information was social security and financial data, meaning that we are likely to experience the consequences of these breaches for years to come.

Interestingly, according to the AG, although hacking remained the leading cause of data breaches (40%); in 2016, “employee negligence, which consists of a combination of inadvertent exposure of records, insider wrongdoing, and the loss of a device or media, nearly tied hacking by accounting for approximately 37% of breaches.”

The AG’s findings are based on required notifications of data breaches mandated by §899-aa of New York Business Law.  One quick take-away:  the report’s findings underscore why your credit union should have clearly delineated policies about employees bringing their own devices to work, as well as guidelines about which employees are going to get access to smart phones and company equipment.

March 27, 2017 at 7:30 am Leave a comment

You want fries with that Data Breach?


I have one good thing to say about hackers. They have provided us with fresh evidence of why state and federal lawmakers  need to impose commonsense requirements on merchants and businesses that don’t adequately protect card information from data breaches, and also don’t bother informing consumers of their mistakes.

Three things happened yesterday that are worth telling your congressman and senators about if you are going to be at CUNA’s Governmental Affairs Conference at the end of the month. First, a Pennsylvania federal magistrate has ruled that a class action lawsuit brought by a group of credit unions and CUNA seeking damages in relation to debit and credit cards compromised by a point of sale data breach at Wendy’s franchises can go forward, First Choice Federal Credit Union, et al v.Wendy’s Co., (U.S. Western District PA). The arguments advanced by Wendy’s in this case underscore precisely why we need clear-cut legal standards making merchants responsible for protecting customer data once and for all. Wendy’s alleges that it has no duty to safeguard sensitive customer information or to provide adequate notification of a data breach.

Fortunately the courts are growing increasingly impatient with arguments such as these. But the fact still remains that, without specific laws in place, merchants will continue to deny that they are in any way responsible for the cost related to data breaches.

Also yesterday I was sitting in on CUNA’s weekly regulatory update call.(for the record I realized after the fact that I was THAT GUY, who chats away not realizing his phone was off mute: sorry about that)    During the call, CUNA discussed news of yet another fast food data breach. This one has occurred at Arby’s restaurants. If you are a New York credit union and you think you may have been victimized give me a call as we would like to get a sense of the scope of the possible theft.

Last but not least, it appears that Yahoo’s data breach maybe even worse than reported. When Yahoo finally got around to disclosing that its data had been compromised, it asserted that no debit or credit card information was stolen. A merchant in Texas has recently started a class action lawsuit alleging that his card information was in fact compromised, by the breach of the embattled tech icon.

Yellen’s testimony indicates interest rate rise coming soon

In the first day of her semi- annual testimony before congress Federal Reserve chairwoman Janet Yellen, warned that waiting too long to remove interest rate accommodation would be “unwise.” The likelihood that the Federal Reserve will once again raise interest rates, perhaps as early as March, is more good news for the banks and credit unions that have struggled with narrow profit margins.

On that note, let’s be careful out there and enjoy your day.

February 15, 2017 at 8:54 am Leave a comment

Moving the Onus of Data Breaches

I’m feeling lucky today. On the same day that New York credit unions are going to the Legislature to advocate for stronger data protections, among other things, news reports explain why small credit unions and banks are objecting to a proposed settlement between MasterCard and Target in relation to Target’s data breach.

To his credit, the Attorney General has made data breach legislation one of his main priorities. Recently, the Legislature introduced bills at his request (A.6866/S.4887) that would require all businesses in New York State to adhere to certain basic industry standards. For example, businesses that comply with Gramm-Leach-Bliley privacy protections would be in compliance with the AG’s standards. Since banks and credit unions have had to meet basic privacy protections for years, the main effect of the AG’s proposal would be to apply these standards to merchants. This is, of course, a good thing. But what happens when the merchants don’t live up to their end of the bargain?

Which brings us to today’s news. As explained in this article in the Wall Street Journal, small banks and credit unions are objecting to the proposed MasterCard settlement negotiated with larger banks on the grounds that it doesn’t provide adequate redress to smaller institutions. You may be aware that credit unions have joined class action law suits seeking damages against Target and other retailers for costs related to the breach. One of the main reasons why the Target lawsuit has legs is because Target is headquartered in Minnesota. In addition to being the land of 1000 lakes, it is also one of the first states in the nation to have a statute enabling financial institutions to recover for the cost of data breaches caused by merchants. These costs include the expense of reissuing new debit and credit cards.

The AG’s bill includes no similar rights for New York banks and credit unions. If the legislation ultimately includes such a right, it would be a pretty fair deal for financial institutions and consumers. Data would be better protected and the fear of litigation would put some teeth behind this bill. In contrast, unless credit unions and banks get a statutory right to recover for the costs of breaches for which they are not responsible, costs of these data breaches will not be shouldered by the parties most responsible. This is particularly important for credit unions since, as the article points out, data breaches are more costly for smaller institutions.

April 29, 2015 at 7:52 am Leave a comment

Target Decision Squeezes Merchants: Now What?

Is the tide turning in data breach cases?  Can Captain Ahab really retire?  Inquiring minds want to know.

Earlier this week, a federal district court in Minnesota ruled that a group of financial institutions including at least one credit union could go forward with its claim that Target was negligent in letting hackers steal credit and debit card information from more than 110 million consumers last year.  (In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522 PAM/JJK, 2014 WL 6775314, at *4 (D. Minn. Dec. 2, 2014)).  The case follows a decision by the Court of Appeals for the Fifth Circuit to allow financial institutions to go forward with a similar claim against Heartland Payment Systems, which they allege negligently stored plastic card information also stolen by third-party hackers. (Lone Star Nat. Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421, 426 (5th Cir. 2013)).

Both of these cases are welcome developments for credit unions.  The industry has correctly argued for years now that there is too little responsibility placed on merchants when it comes to protecting against data breaches.  However, these developments also underscore just how important it is to couple legal action with a multi-pronged push to achieve data breach protections on both the state and federal level.

Most importantly, any litigation in this area will ultimately depend on the interpretation of individual state laws and legal standards.  For instance, Target is incorporated in Minnesota, which I believe was the first state in the nation to pass legislation imposing liability on merchants that negligently store debit and credit card information.  In refusing to dismiss the case against Target, the district court noted that the claim of the financial institutions was “bolstered” by the statute, which underscored the state’s policy of expecting merchants to protect against data breaches.  In the Hartland case, the circuit courts decision to allow the financial institutions to go forward was based on its interpretation of New Jersey case law.

The importance of state law and regulation to the outcome of these cases demonstrates that in this area more than others a coordinated attempt to pass data breach legislation on both the state and federal level is paramount for the industry.  Every time financial institutions bring one of these cases it puts more pressure on merchants to consider coming to the negotiating table and agree to uniform data storage requirements.  In addition, it’s impossible to predict what Congress will do in this area, but both the Hartland and Target decisions demonstrate that much could be done on the state level regardless of what machinations take place in D.C. The cases also raise an important issue for the industry to consider as it continues to push for data breach requirements.  My guess is that the merchants will ultimately agree to data protection requirements in return for preemption of state laws.  If the lawsuits continue to trend in favor of financial institutions, we may reach a point where the value of federal data breach standards is outweighed by the value of state-imposed liability.

Keith Leggett to Retire

Dr. Keith Leggett, Senior Vice President at the American Bankers Association and self-problaimed Captain Ahab to the credit union industry’s white whale, announced that he will be retiring early next year.  Keith is a professional gad-fly to the credit union industry best known to many of you for writing his Credit Union Watch blog.  He reportedly will continue to write this blog even in retirement, so we aren’t quite done with his cogent barbs.

I have a soft spot for anyone who reads my blog and a special soft spot for anyone who takes the time to respond to one of my tirades, even if they disagree with everything I’ve said.  I’ve gotten to know Keith a little as a result of comments to my blogs.  He even has been nice enough to give me the heads up on a typo or two.  So Keith, I hope you have a better retirement than Captain Ahab and thanks for the input.

December 5, 2014 at 8:36 am Leave a comment

New York State Should Make Merchants Do More To Prevent Data Breaches

My challenge today is to see if I can write this blog in less time than Eli Manning takes on average to throw an interception.  No easy task, but here goes.

There are two basic reasons to hold a hearing in Albany.  The first reason is to react to an issue without actually doing anything about it.  Typically you’ll see these hearings later in a legislative year when there simply isn’t enough time to get something accomplished.  The second reason is to actually lay the groundwork for key issues the Legislature will deal with in an upcoming session.

On Friday, the Assembly’s Consumer Affairs and Protection Committee and its chairman Jeffrey Dinowitz held a hearing on legislation he proposed (A.10190) mandating that businesses in New York develop policies and procedures to deter data breaches.  Given the controversy surrounding the issue, I wouldn’t concentrate too much on the specifics of the legislation at this point.  But the mere fact that the Assemblyman has decided to hold a hearing on the issue demonstrates that the question of what to do about data breaches is sure to be a high profile issue in the upcoming legislative session.

The hearing featured the testimony of Ted Potrikus, the President of the Retail Council,. and an erstwhile Albany veteran.  The way retailers tell the story, there really is no need for data breach mandates.  The reputational risk to retailers from data breaches is more than enough to get them to put the necessary precautions in place.

However, data breaches are not a new phenomenon and merchants have so far been unwilling to invest the resources necessary to guard against data breaches.  Every year, a survey is done assessing PCI compliance.  As I explained in a previous blog, the most recent survey results indicate that businesses are still not making the commitment to guard against data breaches.  Home Depot’s top executive recently conceded as much.

A second argument advanced by retailers is that they are as much victims of data breaches as are financial institutions.  Again, this is not entirely accurate.  First, it is banks and credit unions that have to bear the cost of replacing compromised debit and credit cards.  Secondly, it is extremely difficult to make merchants legally responsible for their negligence in handling customer data.  For example, many retailers contract with third-party processors. These companies aggregate plastic transactions on behalf of merchants and process their payments. Litigation involving Heartland has underscored just how difficult it is for card issuers to make these processes responsible for the cost of their negligence.

Don’t get me wrong, no retailer wants to see their business victimized by data breaches. But as the law stands right now, they simply don’t have enough skin in the game to incentivize the creation and implementation of the policies and procedures Assemblyman Dinowitz wants to mandate. Finally, the retailers correctly argue that the battle against data breach is a constantly shifting one. A business may invest in the best technology possible today only to find that the bad guys have made it obsolete tomorrow. But this argument misses the point. Precisely because there is no magic bullet technology that will prevent all data breaches, legislators need to ensure that merchants are legally obligated to take baseline steps to protect against data breaches.

It could, of course, be argued that a national problem such as data breaches should best be dealt with on a federal level. I would love to see national legislation addressing this problem. But a state as large and important as New York has the authority and the ability to finally impose baseline responsibilities on all businesses. After all, credit unions and banks, for that matter, have already been required to have regulations and policies in place for years now, but without the help of merchants they are fighting with one hand tied behind their back.

November 17, 2014 at 8:10 am Leave a comment

Is Your Employee’s iPhone A Ticking Timebomb

This week marked the latest consumer frenzy accompanying the release of what feels like the twentieth version of the iPhone.  Whereas many of you may enjoy the sight of adults arriving at work with the eagerness of children going to school the day after their birthday to show off their newest toys, I am unabashedly part of a profession dedicated to protecting people against their over-exhuberance.  So, remember that every time your employee brings a new portable device to work, it raises important issues related to data protection that are particularly important for financial institutions to remember.

Surveys indicate that the vast majority of companies authorize employees to bring their own devices into the workplace (so called BYOD policies) as opposed to buying the gadgets for work use only.  Let’s be honest, an office that doesn’t have a WiFi hookup, let alone let their employees keep up with their “Facebook friends” during downtimes may be doing the right thing on paper, but isn’t exactly creating the type of environment to attract the best and the brightest, at least if they’re under 40.

But, as Pedro Pavon points out in an excellent article in the September issue of the ABA’s Business Law Today Journal, “BYOD policy presents companies with a myriad of risks and challenges . . .”  Lawyers advising clients need to emphasize that “the biggest risk with BYOD is data loss.”  I think this is particularly true of financial institutions irrespective of your size.  The line between work and home blurs every time an employee responds to an after work email; stores a password on his or her smartphone; or forwards a document to a co-worker while on the way to work.  Ask yourself a simple question:  if one of your employees misplaces her cell phone today, what information could a hacker have access to tomorrow?  If you don’t know the answer, or you do know the answer but think there is nothing you can do about it, then it is time to sit down with your IT people and your policy drafter and get to work.

According to the article, one option is to use technology specifically designed to monitor mobile hardware.  The software will, for example, allow you to wipe the data off a smart phone and track a smartphone’s whereabouts.  You could also mandate the use of PINS on someone’s personal smartphone.  The problem with all of this, of course, is that the company is seeking to take control of someone’s personal device.  When you wipe my cell phone clean and I find it in the laundry pile the next day, I am going to be less than amused that I have to reconstruct the contact list from my poker group just because my employer is justifiably paranoid.  The best bit of advice from Pavon is that as companies acquire tracking software and develop policies, employees are told exactly what information and capabilities employers want to give themselves in return for allowing employees to bring their own devices.

A second piece of the puzzle is that employers responsible for monitoring smart phone usage know exactly where the company’s legitimate need to monitor employee technology cross the line from legitimate work purposes to voyeurism.  This line won’t always be easy to figure out, but having everyone buy in to not only the use of technology in the workplace, but the need for legitimate protections from data breach are the crucial first step that none of you should put off.

September 26, 2013 at 8:28 am Leave a comment

Older Posts Newer Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers