Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Data Breach

Main Content

GDPR Considerations for Community Banks

The May 25, 2018, compliance effective date of the EU’s General Data Protection Regulation (GDPR) is just weeks away, and many U.S.-based companies have at least by now taken stock of their EU customer base and operations, and developed a baseline set of compliance plans.  For many, that might only entail a data inventory and controls that would ensure that changes to the company’s business plan, advertising strategies, and physical footprint would be assessed for GDPR compliance in advance, just as with any other area of compliance.  However, for companies whose business relies upon the gathering and use of consumer data, the GDPR implementation process has been onerous.

In particular, as recent American Banker coverage has described, this compliance effort is hitting financial institutions of all sizes hard.  While the exact nature and magnitude of enforcement exposure is still unclear, U.S. banks should take a broad view of their overseas business – including where U.S. customers temporarily work or travel – in order to stay ahead of GDPR compliance issues.

For U.S.-based small businesses, including community banks, the conventional wisdom has focused on whether the institution solicits or services EU customers.  Unfortunately this approach may cause banks or other businesses to underestimate their potential exposure.

For purposes of the GDPR, compliance obligations for companies without a physical presence in the EU are generally only implicated if the company (1) offers goods and services in the EU or (2) monitors the behavior of EU customers (referred to affectionately as “data subjects” in the regulation).

Of particular concern for community banks is whether tourists, foreign work assignments, or overseas service members could cause the bank to become subject to GDPR obligations.

Read More

Snow, Cybersecurity and Data Breaches with Jena Valdetero

the-bank-accountOn the latest episode of The Bank Account, Jonathan and I were joined by our Chicago partner, Jena Valdetero, to discuss snow, cybersecurity and data breaches.  While Jena would normally be the one dealing with winter weather, it was Jonathan and myself watching the snow fall in Atlanta while Jena enjoyed a relatively warm, sunny day in Chicago.

Jena is part of Bryan Cave’s Data Privacy and Security Team, and joined us to discuss some of the current threats in cybersecurity and some of the steps that banks (and bank customers) should be taking, as well as offering some thoughts on how banks can assist their customers in minimizing the ever present cybersecurity risk.

Among the resources discussed by Jena were:

And I’m going to go change my passwords now….

Read More

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.

Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.

Read More

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”).  After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016.  If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document.  While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.

Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their jurisdiction some, or all, of the company’s security program must be reduced to writing; three states required that an employee be specifically designated to maintain a security program.  More importantly, the Federal Gramm Leach Bliley Act (“GLBA”) contains broad requirements that mimic many of the Proposals provisions.  This includes, for example, the requirement that a financial institution conduct a risk assessment and maintain data breach response procedures.

Read More

Preventing Your Own Peach Breach

A Crash Course on Data Breach and Cyber Security

The recent disclosure by the Georgia Secretary of State of voter’s Social Security Numbers has caused a number of our clients – particularly those based in Georgia – to request additional information concerning how to prevent and respond to data security incidents.

To that end we have gathered together our recorded materials on effective breach prevention and response into a suggested week long training program with one suggested hour of programming every day the week following Thanksgiving. Celesq, the company that maintains the recordings of our programs, has agreed to waive the fee for any of our clients that wish to access them during the week.

  • Monday, November 30th: Data Security Boot Camp: A Crash Course in the Law
  • Tuesday, December 1st: Investigating Data Breaches: A Guide for In-House Counsel
  • Wednesday, December 2nd: Cyber-Insurance
  • Thursday, December 3rd: Data Breach Litigation
  • Friday, December 4th: Ethics and Data Breach Investigation

To receive a registration waiver, email Audrey Brekel at audrey.brekel@bryancave.com. To sign up for any, or all, of the days, please follow the directions here.

Read More

Georgia Secretary of State’s Office Has An “Oops Moment” Over Personal Identifying Information

The Georgia Secretary of State posted a letter on its website on November 18, 2015 admitting that, on October 13, the office inadvertently released personal identifying information on registered voters in Georgia. While the letter does not actually spell out what information was released, a lawsuit filed in Fulton County Superior Court this week alleges that the information on the 6,184,281 Georgia voters includes:

  • voters full name
  • residential address or mailing address if that is different
  • race
  • gender
  • voter registration date
  • last date the person voted
  • their social security number
  • driver’s license number
  • date of birth.

The information had been provided on CDs to 12 groups, including political parties and journalists, in a release that normally would only include basic information, such as names, addresses, registration and the last time the person voted. Under normal circumstances, the Secretary of State makes such information available for $500 to interested individuals and entities.

The Secretary of State letter indicates that the office has retrieved all of the CDs that contained the information and has confirmed that none of the data was retained by or disseminated to any third parties. In a day and time when state and federal governments have aggressively pursued private companies for similar inadvertent disclosures, the Secretary of State may still face liability.

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.