The guidance begins with the premise that a financial institution’s use of social media to interact with customers can impact the institution’s risk profile, not only through legal and compliance risks, but also related risks of harm to operations and reputation. To address these risks, the FFIEC recommends that financial institutions adopt a risk management program to identify, monitor, and control the risks associated with its use of social media.  The complexity of the program should be commensurate with the risks created by the nature and scope of the institution’s use of social media.  The guidance identified seven components that the social media risk management program should contain: (1) a governance structure; (2) policies and procedures; (3) a vetting and management process for vendors; (4) employee training; (5) monitoring of posts to proprietary social media sites; (6) audit/compliance functions to ensure ongoing compliance; and (7) parameters for reporting on the effectiveness of the program to management. 

The guidance then discusses in greater detail the risks created by social media use.  Under the compliance and legal risk section, there is a summary of laws and regulations that may apply when a financial institution uses social media.  The laws discussed include Truth in Savings, Fair Lending, Fair Housing, Truth in Lending, RESPA, FDCPA, UDAAP, EFTA, BSA/AML, and  privacy (GLBA, COPPA, TCPA, CAN-SPAM).  Under the discussion of reputational risk, there is a recommendation that financial institutions adopt policies to address employee participation in social media, which has employment law implications based on recent NLRB decisions.  The operational risk discussion is brief and essentially says that institutions should safeguard customer data, especially because social media is vulnerable to account takeover and the distribution of malware.  Accordingly, the guidance recommends that an institution’s incident response policy address social media as appropriate.

The FFIEC is specifically seeking comments by March 18 on the following questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

The First Circuit decision and resulting settlement highlight the risk to banks if they do not implement and maintain adequate security solutions, especially as the attack vectors used by criminals continue to evolve.  This summer, a crime ring operating what became known as the  Eurograbber campaign—a sophisticated operation that used customized versions of the Zeus and Zeus in the mobile (ZITMO) Trojans to bypass two-factor authentication measures to gain access to customer bank accounts—stole $47 million from over 30,000 customers across more than 30 banks in Europe.

The lessons-learned and issues to consider we included in our July post on the First Circuit’s decision were:

(1) Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.

(2) When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?

•Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?

•It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.

•Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?

(3) If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?

(4) In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?

(5) In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.

This scenario occurred in 2009 between Patco Construction Company and Ocean Bank (later acquired by People’s United Bank). Patco filed suit to recover $345,000 in fraudulent wire transfer losses, but the district court found that the bank had implemented reasonable security measures, allocated the risk of loss to Patco and dismissed all of Patco’s claims. On July 3, 2012, the First Circuit Court of Appeals reversed the district court upon finding that the bank failed to implement commercially reasonable security methods to prevent unauthorized transfers. The First Circuit’s decision offers valuable lessons, which are dependent on understanding how the law allocates risk and the security methods that were used.

The Law. Article 4A of the Uniform Commercial Code allocates the risk of loss for unauthorized commercial wire and ACH transfers to the bank that receives the transfer order unless the bank can show that it accepted the order in good faith and followed a commercially reasonable security procedure for verifying the transaction that was agreed to by the customer. The bank must show that the security procedure was reasonable for that specific customer and bank based on any express instructions from the customer, as well as the circumstances of the customer known to the bank (size, type and frequency of payment orders normally issued by the customer), alternative security procedures offered to the customer, and security procedures in general use by similarly situated banks and customers.

The Security Procedures. In October 2005, the FFIEC issued guidance for authentication in Internet banking, which recommended that banks implement multifactor authentication, layered security, or other controls to mitigate the risk of fraud associated with single-factor authentication (i.e. username and password). To meet the guidance, the bank purchased a “premium package” from a security vendor and implemented a multifactor authentication security procedure with six features: (1) user ID and password; (2) device authentication using a cookie; (3) risk profiling using an algorithm that assigned a risk score to each login and transaction based on factors such as location, IP address and size, type, and frequency of orders; (4) challenge questions; (5) dollar amount of the order that triggers challenge questions; and (6) blacklisting of IP addresses associated with known instances of fraud. The bank did not use out-of-band authentication or tokens.

The Fraudulent Transfers. For six years, Patco used Internet banking to make ACH transfers primarily for payroll. The payroll ACH transfers were always made on Fridays from a computer in Patco’s office with the same static IP address. Over six years, the largest ACH amount was $36,000 and the highest risk score was 214. In May 2009, an unauthorized person who supplied the correct user name, password and challenge question answers to access Patco’s Internet bank account made a series of daily fraudulent ACH transfers over the course of one week that totaled $588,851. All of the logins associated with the fraudulent transfers were from an unrecognized device and an IP address that Patco had never used. The daily fraudulent transfers were two and three times larger than any daily transfer Patco had requested in the prior six years, and they were assigned high-risk scores of 720 and 790. The payments were directed to accounts that had never before received payments from Patco. Even though the fraudulent transfer orders generated high-risk scores, the bank did not manually review any of the high-risk transactions.

The fraudulent transfers were only detected after Patco received notice by mail from the bank that some of the fraudulent transfers failed because they were sent to invalid account numbers. Even after Patco notified the bank of unauthorized transfers, another unauthorized transfer order was placed and initially processed by the bank. The bank was only able to recover or block some of the transfers, leaving a net loss of $345,000.

Commercially Unreasonable. In finding that the bank’s security procedures were commercially unreasonable, the First Circuit relied on the totality of the following “collective failures”: (1) prior to May 2009, the bank was aware of the increased fraud resulting from keylogger malware and had already experienced two other instances of fraud associated with keylogger malware; (2) the bank lowered its dollar threshold for the use of challenge questions from $100,000 to $1, which the court determined substantially increased the risk that a keylogger would capture the challenge question answers at the same time as the log-in credentials; (3) the bank introduced no additional security measures to counter its decision to lower the challenge question threshold; (4) other similarly situated banks had introduced the use of tokens or manual review and verification of uncharacteristic or suspicious transactions; and (5) the fraudulent transactions were flagged as uncharacteristic, highly suspicious, and potentially fraudulent from a “very high risk non-authenticated device,” but the bank did not use that information in processing the transactions.

Consumer Obligations. The First Circuit noted that there are open questions under Article 4A of the UCC as to what, if any, obligations a company has when the bank’s security system is commercially unreasonable. The court identified two factual issues that might affect this determination. First, Patco argued that it requested e-mail alerts from the bank but never received them, while the bank argued that it sent a general notice to all customers with instructions on how to change their “Alerts” to receive e-mail alerts and Patco never set its account to receive alerts; and (2) whether the fraud originated from keylogging malware because Patco was alleged to have failed to properly preserve available computer forensic evidence (the anti-virus scan that Patco’s IT consultant ran after the fraud was detected quarantined and deleted the encryption key necessary to see the configuration file, which could have shown whether the malware was configured to capture log-in credentials).

The lessons-learned and issues to consider based on this decision include:

(1) Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.

(2) When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?

• Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?
• It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.
• Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?

(3) If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?

(4) In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?

(5) In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.

The written identity theft prevention programs mandated under the proposed rules would be designed to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.  Such programs would be triggered by the occurrence of certain “red flags,” including such patterns, practices and specific activities that indicate a potential instance of identity theft.

The proposed rules would apply to broker-dealers, mutual funds and other SEC-regulated entities, as well as future commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants on the CFTC side.

The release also includes guidelines to assist entities in their compliance with the proposed rules.

Authorship Credit: Robert A. Oestreicher

The new regulations will apply to any person engaged in interstate commerce that stores or collects any of the following online data regarding an individual: (1) online activity, including web sites visited and time of access; (2) IP address; and (3) personal information, including name, e-mail address, phone number, or financial account information.  Covered entities would have to disclose their collection and sharing practices, including identifying by name who they share information with.  The bill would allow the FTC to exempt commonly accepted commercial practices like the collection of information for billing purposes.

Failure to comply with the new regulations would constitute an unfair or deceptive trade practice.   In addition to the FTC, state attorneys general would have the authority to bring a civil action to enforce violations of the new Do Not Track regulations.  Civil penalties would be calculated by multiplying the number of days a covered entity was not in compliance by an amount up to $11,000 per day, up to a maximum total liability of $5,000,000.      

Speier also introduced the “Financial Information Privacy Act of 2011” on February 11.  According to her press release:

“The Financial Information Privacy Act of 2011 would finally give consumers the ability to control the sharing of their own financial information. The bill mirrors legislation Speier successfully steered to passage in California that prevents financial institutions from sharing or selling personally identifiable nonpublic information with affiliates without an opportunity to opt-out, or in the case of unaffiliated third parties, a requirement that consumers opt-in. This bill gives consumers control of their personal financial information and provides meaningful but workable privacy protection.”

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

• simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
• creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
• extending protection to information collected offline;
• dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
• a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

• Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
• Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
• Encourage global interoperability.
• Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

• Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
• Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
• In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

• White House Forms New Subcommittee to Review Online Privacy Issues
• HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

• Designate an employee to maintain the security program;
• Identify and evaluates internal and external security risks;
• Impose disciplinary measures for violations of the program rules;
• Oversee third-party service providers;
• Require regular monitoring and updating of the program; and
• Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.