Wednesday, December 28, 2016

Cyber Security Claims


Cyber security claims are seldom tempered with an entities acknowledgement of its insecurity of electronically stored information (ESI) and handling of consumer personal identifying information (PII).  The efforts and planning executed, though they may be diligent, they cannot anticipate cyber incidents and breach incidents nor should their efforts to prevent them be overstated.  All attention by entities appears to be dedicated on external caused anticipated incidents and little is focused on the internally sourced events.  Seldom do entities envision the internally sourced incident, such as human error, theft, or neglect.  Balance is required and much care is needed before publicly claiming the quality of its data security.  For instance, the risk from internal unauthorized access to trade secrets leading to misappropriation is realistic, yet under appreciated.  This is not to spawn an environment of distrust in the workplace.   Of course, it is difficult to swallow that employees would pilfer company knowledge, designs, formulas, or even the companies R&D new software specs for self-gain.  Word to the wise if you are a business, swallow it fast and be ready.  Since the vulnerability can arise from external as well as from internal actors any claims to the public of the quality of handling data securely is being assessed as a possible business representation.  Such cyber security claims should consider internal vulnerabilities to data handling and as well as the externally sourced causes that we read too much in the news.

From an internal point of view, a business’s or agency’s imminent vulnerability is through personnel and their mishaps, forgetfulness, or deliberate sabotage.  This of course is in addition to external concerns.  Always the employee with the increasing frequent absences draws a cause for concern and some form of a query, especially an employee who has access to critical company information.  This concern is so realistic that it has motivated states to promulgate their own version of a uniform rendition on trade secrets and provisions addressing computer crimes.  Some promulgation allows for civil and monetary remedies when business data is compromised because of someone exerting unauthorized access either internally or externally sourced.

With the ease of ESI transmission, unauthorized access becomes all too prevalent for the business insurance companies to fathom the risk.   This reality is augmented by the anonymous activity through shadow bots, exchanges and other means that leave the business owner holding client data, innovative plans, beta testing new processes, without protective leverage.  Backdoor access is always a possibility especially among those of trust who have a mutual gain in the prosperity of the enterprise.  Worst case events are what gave rise to FUTSA and CADRA in Florida[1]  and many other states that appreciated the seriousness.

The insecurity of data security in the cyber world, unfortunately, is by the nature of storing ESI and transmitting ESI in our day-to-day business endeavors.  Customer information, as well as business assets, are at play in the realm of cyber insecurity.  Security is only as secure as the weakest link in the chain of transmission.  As vulnerability is realized in its present state, the urgency then is to focus not only on firewalls and other aspects but on internal employee training, policies, non-disclosure agreements, vendor contracts, vendor’s due diligence to cyber security, cyber insurance policies (vendors cyber insurance) and their coverage reviews, and vetting vendors’ cyber liability coverage before inking a deal.

Can a business claim safeguarding its data assets to engender public confidence in the security of ongoing credit card transactions, storage of its personal account information, the transfer of its customers’ medical records, or the updating of financial records, if it has not properly vetted its vendors' cyber security practices?  The qualified claim itself draws also the risk of misrepresentation before the regulatory eyes of the Federal Trade Commission.  ESI is business as usual and the role of risk management is to realize not only the external aspect of cyber intrusion but to also balance that attention with internal constructs to anticipate the unpredictable.

It is obvious that consumer data security claims by many businesses seek to settle the fears and doubts of many consumers engaging in electronic payments.  however, those representations should be tempered with an accurate description of its practices to keep consumer information and transaction data secure.  Such claims if proven to lack implementation, the claimed training, diligent assessment and evaluation, investment in reasonable resources, or even testing, will be scrutinized.   Several agencies have been tasked with a different scope of authority to do that.  It is important to note that data security has been allocated to be under the auspices of the Dodd-Frank Act.[2]  Information protection regarding consumer confidential information has been the responsibility of the Federal Trade Commission under Gramm-Leach-Bliley Act. Deceptive business practices of covered financial institutions fall under the Consumer Financial Protection Bureau (CFPB), section 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, for the purposes of enforcing federal consumer financial laws.

The veracity of business claims of protecting consumer data and payment processing is a candidate for scrutiny.   Failure to meet the security claims will be deemed as a deceptive business practice.  The CFPB has stressed the importance of attending to the integrity of digital payment system security.  It has as well emphasized the growing reliance and trust that consumers are displaying entrusting their private information and financial information as they execute electronic transactions. In a recent press release, it has stated: “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

While the FTC, Office of the Comptroller of Currencies (OCC) and other federal banking agencies are authorized to police the handling of data security, the CFPB which is tasked to review consumer information of financial institutions, reviews the processes of online payment platforms.  One incident worth noting in this post, is the CFPB's review of the claims made by Dwolla, Inc.  Dwolla is an online payment transaction platform that had provided payment processing services through the Department of the Treasury’s payment portal.  In an Order issued in CFPB's administrative proceeding, Dwolla  was determined to have committed deceptive data security representations to the public.  The consent order states that Dwolla’s communications made false statements about its data safety processes, e.g., of its use of encryption, that its practice surpassed the Payment Card Industry (PCI) standards.  Conversely, the CFPB asserts that Dwolla did not do several of the following, though Dwolla claimed to do so: provide acceptable data security training to its employees, establish acceptable and appropriate date security policies and practices, timely and regular risk assessments, and use encryption. These aspects are considered crucial in the pursuit of providing data security and claiming a level of quality to the cyber security in place.

The order also outlined a list of actions required to address the findings with a five-year horizon within which Dwolla is ordered to comply with the stipulated items, report the actions taken to remedy the findings, and to record all implementations and findings, and continuously submit as scheduled monitoring compliance reports.  From this case financial technology businesses involved in payment processing should carefully screen their representations on their communications, websites, advertisements, and press releases, related to their practices and standards.  Failure to apply what is claimed to be in practice and failure to not exercise due diligence in safeguarding confidential financial consumer information will be punishable devoid of there ever being consumer harm.  Advertisements and marketing efforts in this competitive and growing payment processing industry should be tempered with a sober realization of what is implemented in the daily cycle of transactions and in the keeping of records.   Thus, a fine was imposed on Dwolla, that had to be paid within ten days of the order and they will be monitored for the next five years.

The lessons about handling data security are hard to learn when an entity becomes subject to a cyber incident or a regulator seeks to audit processes.  What can be said about cyber security and any claims about how it is employed, is that upon a cyber incident hitting one's business or entity, all will be scrutinized by outside individuals claiming damages and by the regulators asserting that reasonable diligence was not employed to secure ESI and secure consumer personal identifying information (PII).  Transparency will soon be forced upon to the chagrin of the business or entity that experiences a cyber incident whether internally or externally sourced, or is found after an audit that it is out of compliance. Hence, cyber security efforts need to be assessed before there are any claims and such efforts must be evaluated, tested, and improved upon.

 

[1] Florida Uniform Trade Secrets Act (FUTSA), Chapter 688, Florida Statutes; Sec. 812.081, Florida StatutesComputer Abuse and Data Recovery Act, Sec. 668.801, Florida Statutes (“CADRA”).

 

[2] The Dodd–Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111–203, H.R. 4173; commonly referred to as Dodd-Frank) was signed into federal law July 21, 2010.