PaymentsCompliance: Data Protection In A ‘Post-Dwolla’ World: Industry Told To Up Standards

20TH SEP 2016 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.

U.S. financial institutions that are well prepared for a cyber-attack could save millions of dollars if a breach occurs, legal experts have said, in an increasingly hostile regulatory environment.

Courtney Stout, an attorney at Davis Wright Tremaine law firm, told last week’s Emerging Payment Systems event in Washington, D.C. that the average cost of identifying a data breach in fewer than 100 days is $5.8m, compared with $8m for firms that act more slowly.

To control a breach in less than 30 days will cost on average of $5.2m, compared with $8.8m after 30 days, she added.

“Things that you can do to prepare your employees can save your company money,” Stout said.

“Data breaches can be prevented if you have all of the right people.”

Since online payment platform Dwolla was fined $100,000 by consumer protection authorities in March, despite there being no allegation that a data breach actually occurred, has been seen as a landmark case by cybersecurity experts.

The Consumer Finance Protection Bureau (CFPB) said Dwolla had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and so was liable for a financial penalty — the first it had ever issued on security grounds.

“We don’t know what started the Dwolla investigation,” Stout added. “It was one of the first cases that didn’t stem from a data breach.”

For New York lawyer Jessica Sklute, special counsel at Schulte Roth & Zabel, payments providers and other financial firms should ensure they are meeting requirements set out in the Gramm-Leach-Bliley Act (GLBA).

“GLBA is the primary U.S. law that governs privacy,” said Sklute.

“It’s meant to regulate financial institutions, but broadly covers many businesses.”

The act generally requires that financial institutions inform their customers annually on how they share customers’ non-public personal information.

If the institution shares this information with unaffiliated third parties in ways other than specified by statute, Sklute warned that the institution must notify customers of their right to opt out of sharing, and inform them how to do so.

The federal law consists of three sections:

  • The financial privacy rule, which regulates the collection and disclosure of private financial information.
  • The safeguards rule, which stipulates that financial institutions must implement security programs to protect such information.
  • The pretexting provisions, which prohibit the practice of accessing private information using false pretences.

The GLBA, particularly the safeguards rule, has been used by the CFPB and the Federal Trade Commission (FTC) to investigate and fine companies that violate standards when it comes to cybersecurity and data privacy.

Sklute said the FTC has settled more than 50 data security cases over the years under the GLBA.

She said that some of the best examples were cases involving Eli Lilly, Snapchat, and Wyndham Worldwide.

“The CFPB has been very aggressive,” said attorney Barrie VanBrackle, a partner with Orrick, Herrington & Sutcliffe.

“It takes a company down and a lot of others with it.”

For Sklute, the CFPB’s case against Dwolla using the safeguard provision of the GLBA means companies need to be careful of the promises they make about protecting customers from data breaches and other cybersecurity threats.

Among Sklute’s suggestions were maintaining communications between the legal and marketing teams, accurately reflecting policies and practices of the business, and avoiding consumer promises that are not legally or technically accurate.

Stout agreed, but focused her comments on how companies can mitigate the risk from a data incident.

She reminded event attendees it is not a matter of if, but when, a company deals with a data breach.

Among the factors that can decrease a financial firm’s exposure is creating an incident response team and training its employees.

What a business cannot control, Stout said, is the size and type of incident.

“Size is going to be one of the very few elements of a breach that are out of your control,” she said.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s