The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.
Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.
The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:
- failed to encrypt some types of sensitive personal information, including social security numbers
- did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
- failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
- provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
- released applications to the public without having tested whether they were secure.
Link: Press Release from Consumer Financial Protection Bureau | Full CFPB Complaint
Credit ratings agency Standard & Poor’s has recently signalled that “cybersecurity as an emerging threat … has the potential to pose a higher risk to financial institutions in the future, and possibly result in [credit] downgrades.”
The ratings agency has gone so far as to say that if a bank or other financial institution is ill-prepared to withstand an IT security breach, it could be downgraded even without suffering an actual attack. And (more conventionlly) a downgrade may also be warranted after a breach, if the breach causes significant reputational issues with the potential to result in a major loss of customers, or if the financial or legal losses significantly affects the bank’s balance sheet.
With that in mind, Standard & Poor’s notes that it has begun to ask a range of questions regarding financial institutions’ preparedness against IT security breaches, including:
- Do you have a robust, well-documented program to monitor IT security risks?
- Does the financial institution have any third-party vendor oversight? If so, what kind and how much?
- How long has it typically taken to detect an attack?
- What containment procedures are in place if the financial institution is breached?
- Are emergency scenarios test-run?
- What software or other techniques are used to monitor attacks?
- What kind of expertise about IT security exists on the board of directors?
- How much does the financial institution spend on IT security, and what resources does it devote? What is the total tech budget this year versus last?
- Does the financial institution have any insurance to compensate for an IT security breach?
Link: Standard & Poor’s article
The US District Court (District of Minnesota) has granted class certification to a group of financial institutions in the data breach case against Target Corporation. The financial institutions issued payment cards such as credit and debit cards to consumers who used those cards at Target stores during the 2013 data breach.
The financial institutions alleged that Target was negligent in failing to provide sufficient security to prevent the hackers from accessing customer data. The financial institutions alleged that they suffered injury in the form of replacing cards for their customers, reimbursing fraud losses, and taking various other remedial steps in response to the Target data breach.
The US District Court rejected Target’s argument that the financial institutions’ injuries were limited to “risk of future harm”, on the basis that the financial institutions have already suffered injury. According to a September 2014 American Bankers Association survey, the affected financial institutions had to reissue “nearly every card” that was subject to an alert after the Target breach.
Links: Ars Technica Article | Judgment
The US Securities and Exchange Commission and investment adviser R.T. Jones Capital Equities Management have agreed to settle charges that the latter failed to establish the required security policies and procedures in the lead up to a data breach that compromised the personally identifiable information of approximately 100,000 individuals.
As part of the SEC’s investigation, it found that R.T. Jones Capital did not have any written policies and procedures designed to protect customer information. Further, R.T. Jones Capital did not conduct periodic security risk assessments, encrypt personally identifiable information stored on a third-party server, implement a firewall, or maintain a response plan for potential security incidents.
Link: SEC Press Release
According to the Identity Theft Resource Center, the number of US data breaches hit a record high of 783 in 2014, disclosing nearly 86 million records. The medical/healthcare industry accounted for 42.5% of the reported breaches and over 8 million disclosed records, followed by the business sector with 33% (but over 68 million disclosed records). The financial sector performed best – accounting for 5.5% of breaches and only 1.4% of disclosed records. However, Kaspersky Lab (a cybersecurity firm), has released a report showing that hackers have stolen up to $1 billion from more than 100 financial institutions in 30 countries.
Source: Identity Theft Resource Center and Kaspersky Lab