Privacy and Security Law Blog

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.

Posted by Peter Mucklestone

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated 2007 version of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which updates and further clarifies supervisory expectations since the 2006 version was published last year. The Manual is used in connection with examinations of supervised financial institutions.

The revised version is based on feedback from the banking industry and examination staff. The Office of Foreign Asset Control (OFAC) collaborated on the revisions made to the section that addresses compliance with economic and trade sanctions administered and enforced by OFAC.

The 2007 version of the manual is located on the FFIEC BSA/AML InfoBase website.

Posted by Peter Mucklestone

The Office of Foreign Assets Control (OFAC) recently published a brochure titled "Foreign Assets Control Regulations for the Financial Community" dated June 15, 2007, to help banks comply with the statutes and regulations that OFAC administers.

OFAC administers laws and regulations, including the Trading With the Enemy Act and the International Emergency Economic Powers Act, which further U.S. foreign policy and national security objectives through trade embargoes, blocked assets controls and other commercial and financial restrictions. All U.S. persons, including banks, must comply with the laws and regulations that OFAC administers.

Posted by Peter Mucklestone and Jim Young

The Office of the Comptroller of the Currency (OCC) recently issued an Interpretive Letter (the “Letter”), which concludes that national banks have the authority under 12 U.S.C. § 24(Seventh) to make a noncontrolling investment in a certain limited liability company (the “Investee LLC”) that sells fraud prevention, identity verification, credential validation and payment/deposit risk services (the “Investee Activities”) to financial institutions, credit card issuers, check acceptance companies, brokerage firms, mutual fund companies, retailers, governmental agencies and others. 12 U.S.C. § 24(Seventh) contains a broad grant of authority allowing national banks to engage activities that are incidental to the "business of banking."

Posted by Peter Mucklestone

The Financial Crimes Enforcement Network (FinCEN) has revised the forms of Suspicious Activity Report (SAR). Certain financial companies are required to file SARs with the Treasury Department to report suspicious activity relevant to possible violations of law or regulations. The new forms should not be used before June 30, 2007, and the old forms will not be accepted after December 31, 2007.

There are different forms for different reporting companies. Depository Institutions should use FinCEN Form SAR-DI, Securities and Futures Industries should use FinCEN Form 101, Casinos and Card Clubs should use FinCEN Form 102 and Insurance Companies FinCEN should use Form 108.

The revisions are intended to facilitate joint filings and thereby reduce the number of duplicate SARs filed for a single transaction.

The new forms may be viewed at the FinCEN website.

The Department of the Treasury Financial Crimes Enforcement Network (Fincen) recently published Frequently Asked Questions (FAQs) providing guidance for money service businesses (MSBs) in connection with their anti-money laundering (AML) programs. 

Under the Bank Secrecy Act (BSA), MSBs must establish an AML program which sets forth at a minimum: internal policies, procedures, and controls; designates a compliance officer; provides for ongoing employee training; and provides for an independent audit function to test programs.   31 U.S.C. Section 5318(h).

Posted by Joe Addiego

As blogged a month ago, several Craigslist users have been the target of violent robberies after being “cased out” during online transactions for the sale of their personal goods. It turns out that in addition to posing risks to your physical health, the use of message boards or auction sites can affect your financial health, as well, even if the financial transaction occurs offline.

The San Francisco Chronicle just reported an unfortunate incident that happened to a San Francisco resident, who unknowingly cashed a phony check he received in exchange for the sale of two bicycles he had posted for sale on Craigslist. The check was for an amount in excess of what he negotiated, but despite some reservations, the seller cashed the check anyway. Apparently, the scam was intended to induce the seller to deposit the check at his own bank, so that the scammer can cancel the check and request that the bank return the money, which would come out of the unsuspecting seller’s account, before the check is spotted as a phony.

Posted by Peter Mucklestone

The bank regulatory agencies recently released a frequently asked questions ("FAQs") document to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005 (the "Interagency Guidance"). The Interagency Guidance addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services.

The FAQs are a representation of questions the agencies have received from financial institutions, agency examiners and technology service providers.  The FAQs are designed to assist financial institutions and their technology service providers in conforming to the Interagency Guidance by providing information on the scope of the Interagency Guidance, the timeframe for compliance, risk assessments, and other issues.

A link to the FAQs can be found on the Federal Financial Institutions Examination Council's (FFIEC) Web site.

Posted by Peter Mucklestone and Stuart Louie

Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not "financial institutions" under the Gramm-Leach-Bliley Act ("GLBA") and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are "services provides" for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass'n v. Federal Trade Comm'n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation.

Posted by Peter Mucklestone

Mutual funds must start filing Suspicious Activity Reports (SARs) on suspicious transactions according to a final rule issued by the Financial Crimes Enforcement Network (FinCEN). This new requirement becomes effective 180 days after the date of publication of the final rule in the Federal Register, which was May 4, 2006.

Posted by Peter Mucklestone and Stuart Louie

On April 25, 2006, the Department of the Treasury, Financial Crimes Enforcement Network issued a guidance statement in respect of Customer Identification Program ("CIP") responsibilities arising out of transactions where U.S. banks or broker-dealers ("Agent Lenders") arrange loans of securities to broker-dealers ("Borrowers") under the Agency Lending Disclosure Initiative. In a typical agency lending transaction, an Agent Lender agrees to make securities (held by such Agent Lender on behalf of its customers ("Customers")) available to be loaned to Borrowers through Agent Lender's securities loan program. Other than imposing certain lending requirements and receiving periodic reports regarding loan transactions involving its securities, the Customers have virtually no role in the transaction. The master loan agreement is entered into between the Agent Lender and the Borrower and the Borrower typically records the loan transaction in an account in the name of the Agent Lender. Under the Agency Lending Disclosure Initiative, the Agent Lender, after the fact, will provide to Borrower information regarding the identities of the Customers whose securities have been loaned to the Borrower; however, the disclosure of such information is typically limited to certain personnel of Borrower responsible for credit risk management and regulatory capital reporting.

Posted by Peter Mucklestone

The Fifth National Conference on Ensuring Privacy and Security of Consumer Information, sponsored by the American Conference Institute, began Thursday morning at the Marriott East Side Hotel in New York. The conference is billed by its sponsor as the leading legal and regulatory forum for privacy professionals at financial institutions.

Posted by Peter Mucklestone and Stuart Louie

The federal bank and thrift regulatory agencies recently announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (the "Security Guidelines"). The Security Guidelines (i) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and (ii) establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. The Small-Entity Compliance Guide (the "Compliance Guide") is intended to help financial institutions comply with the Security Guidelines by summarizing the obligations of financial institutions to protect customer information and by illustrating how certain provisions of the Security Guidelines apply to specific situations.