The high-profile data breach at Target made international news. But small and midsized businesses face the majority of cyber attacks and are even more likely to have employees mishandle data than large enterprises.
Entries in Information Security (12)
For the second year in a row, the winter edition of the FDIC’s Supervisory Insights Journal includes an article discussing the risks associated with mobile payment services. Last year’s article, which focused primarily on security and fraud concerns, was reviewed in a blog post last December. This year’s article highlights a broader range of risks associated with mobile payments. These risks arise in part from the fact that mobile payments require interactions between numerous entities in the payment process. In addition, much of the innovation in the market is driven by young, entrepreneurial companies that may not be familiar with the supervisory framework applicable to depository institutions.
First Circuit Reverses Patco v. People’s United: Internet Banking Security Procedures were not Commercially Reasonable
On July 3, 2012, a three-judge panel of the the First Circuit Court of Appeals reversed the summary judgment granted to People’s United Bank in the case of Patco Construction Co., Inc. v. Peoples United Bank, --- F.3d ----, 2012 WL 2543057 (C.A. 1 (Me.)). The case has been widely followed in the banking industry, there being few court decisions analyzing the legal framework for liability with respect to unauthorized internet banking transactions. The original grant of summary judgment by the Federal District Court of the District of Maine was considered a victory for the bank, but the First Circuit’s decision negates most of this victory.
A special Electronic Crimes Task Force formed by the United States Secret Service and the Texas Department of Banking recently issued a report entitled “Best Practices: Reducing the Risks of Corporate Account Takeovers” (the “Report”). The Report details nineteen recommended processes and controls that focus on the core elements of a risk-management framework developed by the Secret Service, the FBI, the Internet Crime Complaint Center, and the Financial Services Information Sharing and Analysis Center: protect, detect, and respond. The Report expands on the standards set forth in the FFIEC’s Supplement to Authentication in an Internet Banking Environment issued in June of 2011, which we discussed in a prior blog post.
The value of the Report lies in the specificity of its recommendations. Each of its nineteen recommended processes and controls is accompanied by detailed examples and “best practices” for consideration. The Report also provides a number of references and sample forms, including for risk assessment and employee/customer training. Although certain best practices may not be appropriate in a particular circumstance, the Report can serve as a useful checklist and resource in developing risk assessment and mitigation programs.
Maine Banker, the trade magazine for the Maine Bankers Association, recently published an article entitled Internet Banking: Six (or so) Key Lessons in its March-April 2012 edition. The article was co-authored by James Cohen and Alistair Raymond of Verrill Dana, LLP. The article addresses a number of key considerations for banks when managing their Internet banking platforms.