Enter your email address to receive new posts in your inbox:

Delivered by FeedBurner


Like what you see? Share!

Our Attorneys

Entries in Information Security (15)


FFIEC Responds to Increased Cyber Threats With New Cybersecurity Assessment Tool 

The Federal Financial Institutional Examination Counsel (FFIEC) recently developed and released a Cybersecurity Assessment Tool in light of the growing number and sophistication of threats to financial institutions from cyber attacks. The tool is consistent with principles set forth in the now-familiar Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) as well as FFIEC’s IT Handbook.

The tool assists management of financial institutions with analyzing the firm’s inherent risk for cybersecurity threats based on a number of factors, including the quantity and types of technologies and internet connections deployed, the role of online and mobile products and services offered, and what organizational characteristics demonstrate the firm’s security awareness and care or, conversely, vulnerability to cyber intrusion.

Each institution will rate differently based on its own threat profile and levels of inherent risk. Financial institutions have long taken security seriously due to the obvious liability concerns with loss or destruction of financial assets. But cyber risks present a unique vulnerability and financial institutions can no longer claim surprise or lack of awareness to the threat. Systematic and continuous risk management strategies are key to reducing risk and ultimately reducing liability should the firm suffer a breach.

How can lawyers help? Attorneys specializing in information security and risk management should be involved at every stage of risk assessment and mitigation, as well as crisis response. Cyber and information security responsibility should not rest exclusively with the IT department because it inherently involves issues of liability risk and standards of care.

Lawyers can help with integrating information security, privacy and employment policies with cybersecurity protocols and policies; establishing and maintaining incident response programs; analyzing the reasonableness of cybersecurity investments – or lack thereof – against the legal standards of care; reviewing and negotiating insurance policies; establishing and maintaining active third party vendor risk management systems including contract review; and ultimately responding immediately and effectively in the event of an information or cybersecurity incident to help manage the crisis and mitigate the damages.

Rita Heimes, Counsel
Co-chair, Information Security & Risk Management Group
Verrill Dana LLP


New England Financial Institutions Face Increased Cybersecurity Risks

Noted cyber security blogger and journalist Brian Krebs recently gained an exclusive interview with a New England bank that reported a sharp rise in fraudulent charges on debit cards. The scammers were making purchases on stolen card numbers from plain-old magnetic strip cards but making them look like they were made on EMV (“chip”) cards, although the bank had not yet issued such cards. This “EMV-spoofing” technique had been picked up by Canadian banks earlier this year and traced to Brazil.

“The recent EMV-spoofing cases point to the continued need for fraud detection mechanisms that even small banks and credit unions must implement to protect themselves,” said Ande Smith, a principal at the forensics and data security firm Deer-Brook, with whom Verrill Dana works closely in data breach cases. “During the transition phase, which may take years, the mish-mash of magnetic and chip/pin point-of-sale systems in the US will create opportunities to mask fraudulent activity.”

A recent report by the Federal Financial Institutions Examination Council (FFIEC) supports this call for improved risk management at regional banks and other financial Institutions.  The results of the FFIEC’s 2014 survey of 500 community financial institutions indicate that these institutions have room to improve in terms of employee education and training on cyber risks; improving cybersecurity controls; understanding their vendors’ cybersecurity risks; and establishing incident management procedures, among other things.

Rita Heimes is a privacy and cybersecurity attorney in Verrill Dana’s Intellectual Property & Technology practice group. She and her team help companies with comprehensive information risk management programs including privacy policies, incident response plans, third-party contracts, employee training, and breach response.


Financial Institutions May Now Post Annual Privacy Policies Online

Under the Gramm-Leach-Bliley Act and regulations promulgated by the Bureau of Consumer Financial Protection (Bureau), financial institutions are required to provide customers with an annual disclosure of their privacy policies. The cost of mailing paper copies to consumers is significant. The Bureau therefore promulgated a new rule effective October 28, 2014, that allows financial institutions to post their notices via alternative delivery means, including on their websites, provided certain conditions are met.

Financial institutions can avoid considerable compliance costs by using this alternative notice method.
Among the qualifications: (1) the privacy notice must not trigger any opt-out rights and the institution must have previously provided opt-out notices as required; (2) information included in the privacy notice must not have changed since the prior notice; and (3) the financial institution must use the Bureau’s model form as its annual privacy notice. Other qualifications also apply, including (but not limited to) notification to customers that the privacy policy is located online at least annually through a statement mailed to them.

For more complete information about qualifying for the alternative annual privacy policy delivery option, view the final rule here or contact Verrill Dana’s Banking Law group.


Tips for Merchants and Consumers Facing a Data Breach

The high-profile data breach at Target made international news. But small and midsized businesses face the majority of cyber attacks and are even more likely to have employees mishandle data than large enterprises.

Click to read more ...


FDIC "Supervisory Insights Journal" Now Out: Mobile Payments Highlighted

For the second year in a row, the winter edition of the FDIC’s Supervisory Insights Journal includes an article discussing the risks associated with mobile payment services. Last year’s article, which focused primarily on security and fraud concerns, was reviewed in a blog post last December. This year’s article highlights a broader range of risks associated with mobile payments. These risks arise in part from the fact that mobile payments require interactions between numerous entities in the payment process. In addition, much of the innovation in the market is driven by young, entrepreneurial companies that may not be familiar with the supervisory framework applicable to depository institutions.

Click to read more ...