You may have noticed, On Miriah’s Mind skipped the month of September, but we are back in action now. Thanks for joining us. It’s officially Fall, and everything pumpkin spice is (mildly) socially acceptable for consumption.
Miriah’s Take: A Few Considerations for Cybersecurity Month
October is Cybersecurity Awareness Month, and there is no possible way I could have missed that. I’ve received a barrage of emails with tips and tricks about staying safe online and the importance of vigilant cybersecurity procedures and practices (NCUA press release, FBI press release, and the NICCS). These tips are great, especially for stubborn folks, like me, who have similar passwords for multiple accounts. If you are interested in the condensed version of the government’s message this month, it is Own IT. Secure IT. Protect IT., focusing on citizen privacy, consumer devices, and e-commerce security.
As we in the financial services industry know, e-commerce security is huge. We often argue that merchants should have applicable data safeguards in place through laws and regulations to better protect consumer data (including financial data), similar to financial services. Despite having federal requirements to protect customer information, the finance industry is more likely to suffer an attempted hack or hack of customer information. Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries. Why do you think that is? Send your reader feedback on that juxtaposition. My guess is that the type of data stored by your financial institution is probably more valuable on the dark web than the data stored by your local grocery store.
Let’s dive into the environment of data protection in the financial services industry. Gramm-Leach-Bliley Act (GLBA) is the most fundamental law protecting consumer data. Under GLBA, financial institutions are required to protect their customers’ private information, which could include name, address, phone number, credit card number, income, and social security numbers, to name a few. Under GLBA, the Safeguards Rule outlines privacy and security requirements that must be taken to adequately protect customers’ private information (promulgated by the Federal Trade Commission).
Some items in GLBA are pretty basic but also super important:
- Designate an employee(s) to coordinate an information security program;
- Identify and assess risks to customer information in various operational areas;
- Design and implement a safeguards program, monitor it, and test it regularly;
- Select competent service providers who can maintain safeguards; and
- Evaluate and adjust.
Undoubtedly, the majority of readers aren’t cybersecurity, risk, or IT professionals, but we are all pretty smart-smart enough to recognize that while compliance with GLBA may sound clear and actionable, protecting data isn’t simple. If it were simple, banks would not have lost more than $16.8 billion to cybercriminals in 2017. Over the past five years, the rate of breaches or theft of sensitive data in the financial services industry has tripled!
And in contrast, during the past year, 50% of U.S. retailers experienced a data breach. While hackers have to work harder to penetrate a financial institution that has safeguards in place (due to GLBA), merchants and retailers typically don’t give adequate consideration for storing and monitoring payment data (how many merchant breaches can we rattle off?). Overall, 75% of U.S. retailers have experienced at least one data breach in the past.
Let’s get a bird’s eye view of the forest now. Since 2013, over 14 billion data records were lost or stolen. By industry, social media has the highest number of compromised records and data with 56.18%, compared to the financial industry, which has .12% of total data records stolen or lost. In the middle falls hospitality, technology, retail, entertainment, and government.
So let’s bring this home. The financial services industry expends valuable resources to follow its laws and regulations to protect customer information, is more likely to be exposed to attempted hacks and breaches, and loses a significant amount of money due to breaches. Yet, financial services lead the industries in protecting accounts from breaches and security incidents. If other industries had federal laws and regulations requiring the business to take a more comprehensive approach to protect consumer data, what would the outcome be? Most likely, an environment that fosters and protects data leading to less breaches.
But what happens when there is a breach? Once the aftermath of the breach settles, there is litigation, albeit minimal. In 2018, there were only 103 class action lawsuits filed related to data breaches, representing a 48% decrease in the quantity of cases compared to 2017 (the quantity of cases means complaints are identified by unique defendant). Of the publicly reported data breaches in 2018, only 5.7% led to class litigation. While minimal class litigation gets filed, California is the preferred litigation forum, regardless of the location of the defendant.
With the effective date of the California Consumer Privacy Act (CCPA) approaching, it will be interesting to see whether this new law affects the prevalence of data breach litigation, especially since the state is the preferred forum. At a high level, the CCPA creates a private right of action in the event of a data breach for applicable consumers. In data breach litigation currently, there are about 26 legal claims plaintiffs rely on, from negligence to breach of duty of care. With the CCPA’s private right to action, a consumer would have to pledge the data breach involving personal information violated the CCPA, and thus the consumer is entitled to statutory damages. Read more about the CCPA and its private right of action at JD Supra and Medium.
Remember that while the law becomes operational on January 1, 2020, it will not to be enforced until six months after the California Attorney General issues final implementing regulations or July 1, 2020. What is your business doing to prepare for the CCPA? You can receive updates on the current CCPA rulemaking here.
Miriah’s Hot Topic: What is blockchain?
Blockchain is all over the news and a hot topic of conversation, but despite its popularity, I have no idea what blockchain is. To really understand blockchain, one probably needs a crash course. This month, we are attempting a mini crash course in understanding blockchain and its (potential) affect on the financial services industry. Recently, the U.S. House of Representatives passed a bill to require the study of blockchain technology, as it relates to FinCEN and making the agency more effective. Clearly, there is a need for multiple stakeholders to learn more about blockchain. Let’s increase our knowledge of blockchain together.
Blockchain is two digital items that work to form a massive data file. The “block” is digital information, and the “chain” is the public database. Thus, blockchain is just a fancy word for digital information stored in a public or private space. Wait, is it really that simple? No, of course not. The purpose of blockchain is to allow digital information to be recorded and distributed without the ability to edit the information. In blockchain technology, there are hundreds, thousands, and million copies of the same blockchain pattern. Each computer in a specific blockchain network would have its identical copy of the blockchain pattern. Apparently, spreading that information across a network of computers makes the information more difficult to manipulate, because there isn’t a single account of event to be manipulated. You can read more about how blockchain technology works at Investopedia, Deloitte, and Mission.
As with many hot topics, there are many articles claiming that blockchain will disrupt the financial services industry and articles claiming blockchain will be the next best thing to revolutionize the financial services industry. This blog isn’t weighing in on that debate. However, some of the largest financial institutions globally have begun to study and implement blockchain technology into their services. A recent report, Blockchain in Banking, looks at how blockchain is being considered and utilized at large financial services institutions. Participants include Citi Bank, JPMorgan, Bank of America, and Mastercard (note all institutions have assets over $100 billion). Let’s review some recaps of the report.
- Annually, the financial services industry invests $1.7 billion into blockchain technology as of 2018.
- Regulatory uncertainty is one more component of whether the technology can be efficiently deployed.
- The top two reasons why banks surveyed use blockchain is for payments and securities settlement. Fraud detection and security was the third top reason.
While blockchain technology is commanding a significant investment at large financial institutions, can it be utilized at community financial institutions? Some argue that during its infant stages in technology development, the impact of blockchain at community financial institutions is small. Others argue that community financial institutions should collaborate to bring blockchain technology to aspects of the financial services industry to develop efficiencies that will benefit everyone, such as blockchain technology in title registry, mortgage loan origination, and even in the Bank Secrecy Act. As credit unions have an inherently collaborative structure, how are credit unions approaching blockchain technology? The Credit Union Journal stresses transforming many operational banking aspects through blockchain, such as call center transformations, voice banking, in-person ID verification, and cross-border international payments (Also check out this report by Glenbrook and PSCU on blockchain technology specifically in the credit union space). With all types of innovative technology that require massive capital, it seems that collaboration should be a primary approach of community financial institutions so that they can stay competitive with their massive banking counterparts, who can put $1.7 billion a year into these types of developments.
This blog would like to know: has blockchain been on your radar? What blockchain developments would you like to see within a year? What other technology developments are you monitoring?
Everything but the Kitchen Sink
Does this section look new to you? “Everything but the Kitchen Sink” is making its first appearance on the blog. This section for all the other items the blog wants to cover but cannot fit into our regularly scheduled sections.
There are two litigation updates that you should be aware of, as they both deal with topics previously covered by this blog.
- Robles v. Domino’s litigating whether or not Domino’s pizza must have a website that is Americans with Disabilities Act (ADA) accessible for a blind plaintiff. Plaintiff had won at the 9th Circuit Court of Appeals after a panel determined that the Domino’s could be sued by the plaintiff, who alleged Domino’s did not have accessible website and mobile app. Domino’s appealed the 9th Circuit’s decision to the U.S. Supreme Court, who decided not to hear the case, leaving intact the lower court’s opinion. You can read the Supreme Court’s order here. Because the plaintiff can sue Domino’s the case will move forward to trial (or settle). Read more about the case from CNBC or the LA Times.
- Salcedo v. Hanna litigating whether or not receiving a single unsolicited text message amounts to an injury required for a Telephone Consumer Protection Act (TCPA) claim. The plaintiff brought a TCPA claim against his former attorney because plaintiff received one unsolicited text message offering a discount on legal services. The District Court denied the defendant’s (attorney) motion to dismiss, which was appealed. Looking at standing (Article III of the U.S. Constitution), the court considered whether a technical violation of the statute could amount to an injury to bring forth a claim. The plaintiff alleged that he wasted time in answering the text that he would otherwise be available to “enjoy the full utility of his cell phone,” but the court determined that did not amount to tangible harm. Thus, the plaintiff had no injury to satisfy standing requirements and cannot move forward with the case. Read more about the case at JD Supra and this popular TCPA Blog.
Send your funny regulatory stories, reader feedback, and future topics ideas to at email@example.com.