Search
RSS
Our Attorneys
Twitter
Twitter

Entries in Information Security (14)

Tuesday
Nov182014

New England Financial Institutions Face Increased Cybersecurity Risks

Noted cyber security blogger and journalist Brian Krebs recently gained an exclusive interview with a New England bank that reported a sharp rise in fraudulent charges on debit cards. The scammers were making purchases on stolen card numbers from plain-old magnetic strip cards but making them look like they were made on EMV (“chip”) cards, although the bank had not yet issued such cards. This “EMV-spoofing” technique had been picked up by Canadian banks earlier this year and traced to Brazil.

“The recent EMV-spoofing cases point to the continued need for fraud detection mechanisms that even small banks and credit unions must implement to protect themselves,” said Ande Smith, a principal at the forensics and data security firm Deer-Brook, with whom Verrill Dana works closely in data breach cases. “During the transition phase, which may take years, the mish-mash of magnetic and chip/pin point-of-sale systems in the US will create opportunities to mask fraudulent activity.”

A recent report by the Federal Financial Institutions Examination Council (FFIEC) supports this call for improved risk management at regional banks and other financial Institutions.  The results of the FFIEC’s 2014 survey of 500 community financial institutions indicate that these institutions have room to improve in terms of employee education and training on cyber risks; improving cybersecurity controls; understanding their vendors’ cybersecurity risks; and establishing incident management procedures, among other things.

Rita Heimes is a privacy and cybersecurity attorney in Verrill Dana’s Intellectual Property & Technology practice group. She and her team help companies with comprehensive information risk management programs including privacy policies, incident response plans, third-party contracts, employee training, and breach response.

Monday
Nov172014

Financial Institutions May Now Post Annual Privacy Policies Online

Under the Gramm-Leach-Bliley Act and regulations promulgated by the Bureau of Consumer Financial Protection (Bureau), financial institutions are required to provide customers with an annual disclosure of their privacy policies. The cost of mailing paper copies to consumers is significant. The Bureau therefore promulgated a new rule effective October 28, 2014, that allows financial institutions to post their notices via alternative delivery means, including on their websites, provided certain conditions are met.

Financial institutions can avoid considerable compliance costs by using this alternative notice method.
Among the qualifications: (1) the privacy notice must not trigger any opt-out rights and the institution must have previously provided opt-out notices as required; (2) information included in the privacy notice must not have changed since the prior notice; and (3) the financial institution must use the Bureau’s model form as its annual privacy notice. Other qualifications also apply, including (but not limited to) notification to customers that the privacy policy is located online at least annually through a statement mailed to them.

For more complete information about qualifying for the alternative annual privacy policy delivery option, view the final rule here or contact Verrill Dana’s Banking Law group.

Tuesday
Aug262014

Tips for Merchants and Consumers Facing a Data Breach

The high-profile data breach at Target made international news. But small and midsized businesses face the majority of cyber attacks and are even more likely to have employees mishandle data than large enterprises.

Click to read more ...

Friday
Dec212012

FDIC "Supervisory Insights Journal" Now Out: Mobile Payments Highlighted

For the second year in a row, the winter edition of the FDIC’s Supervisory Insights Journal includes an article discussing the risks associated with mobile payment services. Last year’s article, which focused primarily on security and fraud concerns, was reviewed in a blog post last December. This year’s article highlights a broader range of risks associated with mobile payments. These risks arise in part from the fact that mobile payments require interactions between numerous entities in the payment process. In addition, much of the innovation in the market is driven by young, entrepreneurial companies that may not be familiar with the supervisory framework applicable to depository institutions.

Click to read more ...

Friday
Jul062012

First Circuit Reverses Patco v. People’s United: Internet Banking Security Procedures were not Commercially Reasonable

On July 3, 2012, a three-judge panel of the the First Circuit Court of Appeals reversed the summary judgment granted to People’s United Bank in the case of Patco Construction Co., Inc. v. Peoples United Bank, --- F.3d ----, 2012 WL 2543057 (C.A. 1 (Me.)). The case has been widely followed in the banking industry, there being few court decisions analyzing the legal framework for liability with respect to unauthorized internet banking transactions. The original grant of summary judgment by the Federal District Court of the District of Maine was considered a victory for the bank, but the First Circuit’s decision negates most of this victory.

Click to read more ...