Posts tagged ‘Krebsonsecurity’

Are you prepared for the next pandemic?

I certainly don’t want anyone to overreact, but as I was getting ready to go this morning, I listened to the news that the coronavirus is continuing to spread. In addition, with an incubation period of 14 days, an epidemiologist interviewed on Bloomberg predicted that as many as 100,000 people could ultimately be infected.

It’s time to start dusting off those continuity plans addressing what steps your credit union would take in the event of a wide-spread virus. Here are a couple of good places to start:

In 2006, there was wide-spread fear of an influenza pandemic. The financial regulators, including the NCUA, responded with this inter-agency statement on Pandemic Planning.

In 2014, we had the Ebola Outbreak. One of the most helpful analyses of the legal issues confronted at the time by employers was this blog post from Bond Schoeneck & King, which addressed issues such as the extent to which employers could inquire about employees’ travel plans.

There are also regulations you are already subject to. For example, Federal law requires employers to provide employees a place of employment free of “recognized hazards that are causing or are likely to cause death or serious physical harm” to employees (29 USCA section 654). Consistent with this obligation OSHA issued this guidance during the flu epidemic.

Now I want to stress that all of these outbreaks are unique and raise different issues. Furthermore, I’m not aware of any formal regulatory requirements that have been imposed on financial institutions as a result of the coronavirus. But as I like to say, I am paid to be paranoid, and now is a good time to start answering the questions that you could be asked if this virus spreads.

Another day, another data breach

In the immortal words of the second greatest American entertainer of the 20th Century, Ray Charles, “Here we go again.” KrebsonSecurity is reporting that convenience store chain Wawa has been victimized by a nine month data snatching security breach. This is based on news that the bad guys are already offering to sell personally identifiable information on the dark web. Rather than go through the usual litany of complaints I think I’m just going to let Ray Charles finish out the blog with one of my favorite songs:

I’ve been there before
And I’ll try it again
But any fool knows
That there’s no way to win
Here we go again
She’ll break my heart again
I’ll play the part again
One more time







January 29, 2020 at 9:32 am Leave a comment

Another Day, Another Data Breach

As faithful readers of the blog know, when I start with a sentence reporting the latest data breach uncovered by Krebsonsecurity, it means that a massive number of credit and debit cards have once again been stolen by hackers. According to the website, a popular underground store selling credit and debit cards is offering to sell more than 5.3 million new accounts belonging to cardholders from 35 states. It now appears that this treasure trove of information was stolen from the Hy-Vee Supermarket chain, which apparently has hundreds of stores in the Midwest.

On August 14, the company announced that because it “takes the security of payment card data very seriously,” it wanted to make its customers aware of an investigation it was conducting into a “security incident” that focused on payments made at affiliated gas stations, restaurants, and supermarkets.

Since the supermarket chain is based in the Midwest, hopefully this will not impact your members; it does, however, give me the opportunity to once again point out obvious points that so many of our policy makers refuse to acknowledge or act on.

  • When are we going to stop calling the black market for credit and debit card information a black market? On a practical level, people can go onto the web and sell this information with virtual impunity. In reality, it’s become a de facto secondary market. Consumers and businesses are paying the price.
  • The legal system works best when the parties most responsible for a given injury bear the burden of the cost associated with their mistake. By this standard, liability for data breaches remains woefully inadequate. This breach will undoubtedly spark several lawsuits and result in a large multimillion dollar settlement, but so long as consumers have to prove not only that their data was exposed to a data breach, but that their data actually was used in a way that cost them money, consumers will have a difficult time making businesses pay for the harm they are inflicting. As for financial institutions, courts and legislators have to stop viewing data breaches as contract violations as opposed to torts for which there are wide ranging damages.
  • Of course, all of this could be resolved by Congress, but it won’t be; at least not in the near future.

Wildcard Legislation Sent to Governor

Late last week, legislation was sent to the Governor to extend the Department of Financial Services’ wildcard powers for banks and credit unions. This is absolutely critical legislation which we expect the Governor to approve. Without action by the Governor, this power expires in September.

Originally passed in 1996 to make the state banking charter more competitive with its federal counterpart, the law has applied to credit unions since 2007. The basic idea is that state chartered financial institutions can apply to the Department of Financial Services for permission to exercise a power that federally chartered institutions have, but that state chartered credit unions do not. In recent years, the Department of Financial Services has utilized its authority to help both banks and credit unions, and so doing, has made the state charter more attractive to federal credit unions.

The Association has of course signaled its support of the measure and we will tell you when the Governor takes action on the bill.

August 27, 2019 at 9:31 am Leave a comment

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 653 other followers