On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.
Securities and Exchange Commission Chair Mary Jo White emphasized the agency’s focus on cybersecurity preparedness and response at a conference in Washington, D.C. in mid May, stating “we can’t do enough in this sector.” Reuters reports that Chair White views cybersecurity as the biggest risk facing the financial system, quoting her as saying that “what we [have] found…is a lot of preparedness, a lot of awareness but also….policies and procedures [that] are not tailored to [entities’] particular risks.”
On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees. The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).
On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.
The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015. It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.
On Monday, May 16, the Supreme Court addressed the question of whether an alleged violation of the Fair Credit Reporting Act (FCRA), without allegation of concrete injury, is ever sufficient for Article III standing. The case, Spokeo Inc. v. Robbins, No. 13-1339 (2016), involved a class action against data broker Spokeo Inc.. The plaintiff, Thomas Robins, alleged that Spokeo violated the FCRA by inaccurately reporting online that he was a wealthy, married man with children and a graduate degree when he was actually unmarried and out of work. He argued that those inaccuracies could have hurt his chances with potential employers. The district court dismissed Mr. Robins’s case for failure to show any actual harm from the false information, but in 2014, the U.S. Court of Appeals for the Ninth Circuit allowed the case to move forward based on its analysis that Mr. Robins’s injury allegation was particularized because he alleged that Spokeo violated his individual rights when it handled his information.
On March 21, the federal banking agencies and the Financial Crimes Enforcement Network (collectively, the Agencies) published interagency guidance to issuing banks on the application of the joint regulations implementing the customer identification program (CIP) requirements set forth in Section 326 of the USA PATRIOT Act (the CIP Rule) to their prepaid cards. The guidance clarifies that a bank should apply its CIP to the cardholders of certain prepaid cards issued by the bank and other prepaid access devices that meet the criteria in the guidance. The guidance is largely consistent with current industry practice.
On January 5, the Financial Industry Regulatory Authority (FINRA) released its annual Regulatory and Examination Priorities Letter (Letter) to highlight risks that FINRA believes could adversely affect investors and market integrity. This year’s Letter differs from those in the past in focusing on three broad, principle-based concerns in addition to the usual list of narrowly focused areas that examiners will certainly review. These broad areas are 1) culture, conflicts of interest and ethics; 2) supervision, risk management and controls; and 3) liquidity. The discussion is helpful because it explains FINRA’s overarching concerns, philosophy and its potential basis for pursuing enforcement actions. Firms should read this discussion carefully and internalize its principles. Firms should be able to document and demonstrate to FINRA their appropriate regulatory and ethical culture and how they actively identify and manage potential conflicts of interest. Likewise, in today’s highly automated and data-dependent markets, firms must be able to demonstrate that their procedures and policies related to cybersecurity, technology management and data quality are up to date, adequately resourced and strictly followed.
On December 17, 2015, the Executive/Plenary Committees of the National Association of Insurance Commissioners (NAIC) unanimously adopted an amended version of the Cybersecurity “Bill of Rights.” Renamed the “NAIC Roadmap for Cybersecurity Consumer Protections,” the document now states that while the NAIC believes consumers are entitled to the delineated protections, not all are currently provided for under state law.
On November 18, the Federal Trade Commission (FTC) issued final amendments to the Telemarketing Sales Rule (TSR) banning payment methods that the FTC believes are disproportionately used by scammers (the Final Rule). The Final Rule follows the notice of proposed rulemaking (NPRM) that the FTC published on July 9, 2013. While the Final Rule makes some modifications to the proposed amendments to the TSR that were included in the NPRM, the NPRM was not modified significantly and continues to ban remotely created payment orders (including remotely created checks), cash-to-cash money transfers and cash reload mechanisms in both inbound and outbound telemarketing.
In particular, the FTC rejected many industry comments on the grounds that the commenter did not provide examples or data to support its claims, highlighting the importance of hard evidence in making a case during the FTC’s rulemaking process. Moreover, although the American Bankers Association (ABA) argued that the proposed rule would be a direct and impermissible regulation of banks that exceeds the FTC’s authority, the FTC rejected the ABA’s position.
This Sidley Update briefly summarizes the key components of the Final Rule and the FTC’s analysis in support of its rulemaking.
On Friday, December 4, President Obama signed the Fixing America’s Surface Transportation (“FAST”) Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade. Despite its title, the bill impacts a number of regulated sectors. Nestled within this 490-page law are 13 pages that pertain to cybersecurity and other protections for the electric grid. As detailed below, the FAST Act also includes a number of privacy and cybersecurity provisions relating to privacy notices by financial institutions as required by the Gramm Leach Bliley Act, event data records in vehicles, Internet of Things technologies, and connected cars.