Cybersecurity attacks have increasingly garnered significant attention this summer—and financial regulators are taking notice and taking action. Earlier in August, the Securities and Exchange Commission (“SEC”) announced the indictment of nine players in a major hacking ring. The ring was designed to obtain corporate announcements prior to their public release, to give purchasers of the illegally obtained information an edge in securities trading. The attack combined old-school securities fraud with new-school cybercrime, and served as a reminder of financial markets’ potential vulnerabilities from the ingenuity of cybercriminals.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.
On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information. Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.
On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the personal information of the certain of the firm’s wealth management clients to personal devices and a personal website. Ultimately, the personal data became available on publicly accessible websites.
In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations. The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.
On July 1, 2015, China’s top legislature adopted a new National Security Law (中华人民共和国国家安全法), highlighting cyber security and paving the way for a coordinated crisis management system. The law aims to provide a general legislative framework to cover a wide range of areas, ranging from finance, politics, the military and cyber security to culture, ideology and religion.
The Federal Trade Commission released “Start with Security: A Guide for Business” on June 30, 2015. The guide contains ten best practices for addressing issues of data security based on lessons learned from the FTC’s 53 data-security actions to date. Specifically, it identifies “vulnerabilities” that could affect businesses of all sizes and provides some “practical guidance on how to reduce the risks [those vulnerabilities] pose.”
New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection. S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.
Following meetings between President Obama and Brazilian President Dilma Rousseff this week, the leaders issued a joint communiqué addressing a number of cyber issues. It would appear that post-Snowden tensions have ameliorated. In 2013, President Rousseff condemned alleged US spying. In their statement this week, the Presidents expressed a “share[d] understanding that global Internet governance must be transparent and inclusive, ensuring full participation of governments, civil society, private sector and international organizations, so that the potential of the Internet as a powerful tool for economic and social development can be fulfilled” and they reaffirmed “their adherence to the multistakeholder model of Internet governance.”
Although a frequent topic of discussion on Capitol Hill, no single standard for private-sector cybersecurity programs has yet to emerge. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is often considered foremost among existing guidance, but several other agencies are also expressing views, including the following recent guidance from the Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC). Significantly, both the DOJ and FTC tout the advantages of cooperating with law enforcement after a data breach by noting that such cooperation may lead to “regulatory” benefits.