Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Data Privacy and Security Team

Main Content

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.

Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.

Read More

Preventing Your Own Peach Breach

A Crash Course on Data Breach and Cyber Security

The recent disclosure by the Georgia Secretary of State of voter’s Social Security Numbers has caused a number of our clients – particularly those based in Georgia – to request additional information concerning how to prevent and respond to data security incidents.

To that end we have gathered together our recorded materials on effective breach prevention and response into a suggested week long training program with one suggested hour of programming every day the week following Thanksgiving. Celesq, the company that maintains the recordings of our programs, has agreed to waive the fee for any of our clients that wish to access them during the week.

  • Monday, November 30th: Data Security Boot Camp: A Crash Course in the Law
  • Tuesday, December 1st: Investigating Data Breaches: A Guide for In-House Counsel
  • Wednesday, December 2nd: Cyber-Insurance
  • Thursday, December 3rd: Data Breach Litigation
  • Friday, December 4th: Ethics and Data Breach Investigation

To receive a registration waiver, email Audrey Brekel at audrey.brekel@bryancave.com. To sign up for any, or all, of the days, please follow the directions here.

Read More

FDIC Examinations and Cyberattack Risk

FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).

The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and authorities; and providing guidance to institutions. The OIG report determined that the FDIC examination work focuses on security controls at a broad program level that, if operating effectively, help institutions protect against and respond to cyberattacks. The program-level controls include risk assessment, information security, audit, business continuity, and vendor management. The OIG noted, however, that the work programs do not explicitly address cyberattack risk.

Read More

April 2014 Client Alerts

Practice groups throughout Bryan Cave often prepare alerts on issues of interest to our clients and friends. Listed below are the Client Alerts published in April 2014.  Please click on the title to read the full text of the Alert.

 U.S. Supreme Court Clarifies Test For Standing to Sue Under Federal False Advertising Statute And Rejects Test Used by Several Circuits to Prohibit Suits Brought By Non-Competitor Businessespublished by the Commercial Litigation, Intellectual Property and Trademarks practice groups on April 1, 2014.

The Australian Privacy Principles:  They don’t apply to me, do they?, published by the Data Privacy and Security team, April 1, 2014.

SEC Convenes Cybersecurity Roundtable:  Highlights Importance of Cybersecurity for Public Companies and Financial Market Participants, published by the Corporate Finance and Securities practice group and Data Privacy and Security Team, April 4, 2014.

Now It Gets Personal:  Department of Justice Obtains its First Ever Extradition on Antitrust Charges, published by the Antitrust and Competition White Collar Defense and Investigations practice on April 8, 2014.

SEC Touts Monetary Benefits of Whistleblowing, published by the White Collar Defense and Investigations, Securities Litigation and Enforcement and Labor and Employment practice groups, April 10, 2014. 

Paving The Way for Increased Data Litigation, Court Refuses to Dismiss FTC’s Use of Deception or Unfairness Authority in Data Breach Cases, published by the Data Privacy and Security Team, April 11, 2014.

$5.15B Cleanup:  Anadarko Environmental Settlement Reveals New Government Tactics, published by the White collar Defense and Investigations and Environmental practice groups, April 11, 2014.

Court of Appeals Issues Opinion in Conflict Minerals Case:  Portion of Rule Violates First Amendment, published by the Corporate Finance and Securities practice group, April 14, 2014.

SEC Staff Responds to Court of Appeals Opinion in Conflict Minerals Case:  Game On, published by the Corporate Finance and Securities group, April 30, 2014.

Will This Be Enough?  Competitors Sharing Cyber Threat Information Will Not Result in Federal Antitrust Prosecutions — Sometimes, published by the National Security, Antitrust and Competition practice groups and the Data Privacy and Security Team

We Know Who You Are:  Companies’ Ability To Deal Confidentially With The CPSC is Further Eroded, published by the Consumer Protection and Data Privacy groups, April 18, 2014.

OCIE Issues Risk Alert Regarding Cybersecurity Preparednesspublished by the Broker-Dealer, Litigation, Arbitration and Regulatory,  and Investment Management groups, April 21, 2014.

Missouri Supreme Court Deals With Trade Secret Issues, published by the Labor and Employment practice group, April 22, 2014.

Missouri Supreme Court Introduces Drastic Change to Workers’ Compensation Retaliation Law, published by the Labor and Employment practice group, April 29, 2014.

New York’s Non-Profit Revitalization Act of 2013 and Its Impact on Non-Profit Organizations, published by the Non Profit Organizations practice on April 1, 2014.

U.S. Expands Sanctions Against Russia By Freezing More Assets and Restricting Exports (IRB No. 522), published by the International Trade group, April 29, 2014.

Partnership Tax Changes:  New Salaried Member Rules from 6 April 2014published by the Tax Advice and Controversy practice group (London) on April 3, 2014.

New Consumer Regulations – Implications for Retailers doing Business in the UK, published by the London Retail team, April 17, 2014.

Sunday Trading Laws in the UK — Is The Customer Still King?, published by the London Retail team, April 17, 2014.

UK Deferred Prosecution Agreements — Key Considerations For Companies Deciding Whether To Self-Report, published by the White Collar Defense and Investigations, Global Anti-Corruption/Foreign Corrupt Practices Act Team, April 2, 2014.

New Consumer Protection Law:  A Reinforced Framework for Distribution Agreements, published by the Paris Consumer Protection and Data Privacy group, April 9, 2014.

New Consumer Protection Law:  A Stricter Regime for Payment Terms, published by the Consumer Paris Protection and Data Privacy group, April 9, 2014.

EU & Competition Law Update – April 2014, published by the European Antitrust and Competition group, April 10, 2014.

 

Read More

February 2014 – Bryan Cave Client Alerts

Practice groups throughout Bryan Cave often prepare alerts on issues of interest to our clients and friends.  Listed below are the client alerts published in January 2014.  Please click on the title to read the full text of the Alert.

Voluntary for Now:  Federal Cybersecurity Framework Likely to Become the Base-Line Requirement for Critical Infrastructure Organizations and, Potentially, Many Other Businesses, published by the National Security Data Privacy and Security Team, February 20, 2014.

Managing Legal Risks:  Trends in Data Privacy & Security Class Action Litigation, published by the Data Privacy and Security Team, February 27, 2014.

Bankruptcy Court Limits Credit Bid Right In An Unnecessarily “Rushed” Sale Process, published by the Bankruptcy, Restructuring and Creditors’ Rights Practice, February 14, 2014.

Proposed Regulation Would Limit Ability to Restrict Public Disclosure of Product Information Submitted to the CPSC, published by the Consumer Protection and Data Privacy Practice, February 27, 2014.

FINRA Levies Record Fine for AML Violations, published by the Securities litigation and Enforcement and White Collar Defense and Investigations Practice Groups.

FINRA’s Sweep Letter Targets Cybersecurity, published by the Broker-dealer Litigation, Arbitration and Regulatory Practice, February 10, 2014.

Managing Legal Risks:  Trends in Advertising Class Action Litigation (2013 Year-In-Review), published by the Consumer Protection and Data Privacy and Class and Derivative Actions Practice Groups, February 18, 2014.

DINP Listed as Carcinogen Under Prop. 65, published by the Retail Team, February 28, 2014.

OCIE’s “Never-Before Examined Initiative,” published by the Broker-Dealer Litigation, Arbitration and Regulatory Practice.

Attorney-Client Privilege in FCPA Investigation Nullified Based on Crime-Fraud Exception, published by the White Collar Defense and Investigations, Internal Trade, Global Anti-Corruption/Foreign Corrupt Practices Act Team, February 25, 2014.

Yet Another List to Check:  the Foreign Sanctions Evaders (IRB No. 518), published by the International Trade Group, February 21, 2014.

A Year in the Garden, published by the London labor and Employment Practice, February 19, 2014.

EU & Competition Law Update – February 2014, published by the European Antitrust and Competition Practice, February 10, 2014.

PRC Labor Activity Issues Interim Provisions on Labor Dispatch, published by the Asian Labor and Employment International Practice, February 25, 2014.

The Introduction of Time Limits in Works Council Consultations:  An Attempt at Streamlining Employer-Employee Relations, published by the Paris Labor and Employment Practice, February 3, 2014.

Read More

July 2012 Client Alerts

Two Key Rulings of the Supreme Court

A “Common Sense” Approach to Overtime Exemptions.  The Supreme Court’s recent ruling in Christopher v. SmithKline Beecham Corp., DBA GlaxoSmithKline established that when classifying employees as exempt or nonexempt under the Fair Labor Standards Act, employers should not abandon common sense and industry practice.  The Christopher case puts the Department of Labor and potential plaintiffs on notice that unreasoned and overly narrow interpretations of the exemptions should be rejected by courts, especially when such interpretations would subject business to unfair surprise.

Supreme Court Strikes Down Much of Arizona Immigration Law.  Arizona enacted the Support our Law Enforcement and Safe Neighborhoods Act in 2010 in an attempt to address immigration concerns within its borders.  In a 5-3 decision, the Supreme Court struck down a significant part of the Arizona law.

For summaries of these two important rulings of the Supreme Court, please click here for the Labor and Employment Client Service Group’s Alert published July 16, 201.

New York Appeals Court Decision Highlights Defenses for Financial Institution Defendants Against Structured Product Claims.

A recent decision from the New York Court of Appeals highlights some of the winning arguments financial-institution defendants can make in state-court litigation brought by investors in structured financial products.  In Oddo Asset Management v. Barclays Bank PLC, the Court of Appeals affirmed the dismission of claims for aiding and abetting breach of fiduciary duty and tortious interference with contract.  Although the Court did not define any new legal principles, its decision illustrates the ways existing law can be applied to defeat claims against defendants alleged to have played an important role in the distribution of failed investments.  To learn more about the decision in this case, please click here to read the Securities Litigation and Enforcement Client Service Group’s Alert published July 9, 2012.

Employee Testimonials Can be Risky Business

Online retailers often permit (and encourage) consumers to review their products.  Reviews — whether done on the retailer’s website or on a third-party website — serve a dual purpose of engaging consumers to interact with the retailer and providing a ready source of testimonials that can be used in future marketing.  Over the past several years the FTC has warned that consumers can be deceived when a testimonial is written by a person that has a material connection with the retailer.  The FTC has launched at least a half-dozen investigations involving deceptive testimonials, and, in early July, the FTC announced its largest testimonial related settlement to date — $800,000.  To read more about how retailers can avoid liability, please click here to read the Alert published by the Retailer & Consumer Products Group on July 10, 2012.

Read More

April 2012 Client Alerts

IRS Releases Proposed Rules on New Comparative Effectiveness Fee for Health Plans

On April 12, 2012 the IRS released proposed regulations regarding the collection of the fee for the Patient-Centered Outcomes Research Trust Fund (the “Fund”) under the Patient Protection and Affordable Care Act.  The Fund will be used to pay for the Patient-Centered Outcomes Research Institute which has the goal of helping health care providers and consumers make informed health decisions by synthesizing research comparing the outcome effectiveness of various treatments.  To learn more about proposed  regulations, the plans that will be impacted and the fee, please click here to read the Alert published by the Employee Benefits and Executive Compensation Client Service Group on April 23, 2012.

The Absolute Priority Rule:  An Endangered Species in Individual Chapter 11 Cases?

The absolute priority rule of Section 1129(b) of the Bankruptcy Code is a fundamental creditor protection in a Chapter 11 bankruptcy case.  The rule implements the general state-law principle that creditors are entitled to payment before shareholders unless creditors agree to a different result.  Recent litigation has raised the issue of  whether the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, which otherwise is a very creditor-friendly statute, modified the Bankruptcy Code in such a way as to eliminate the absolute priority rule if the debtor is an individual.  For a discussion of the issue, please click here to read the Alert published by the Bankruptcy, Restructuring and Creditors’ Rights Client Service Group on April 9, 2012.

Estate Planning in 2012

Generally, there are three basic goals of estate, generation skipping transfer and gift tax planning:  (1) the reduction of estate and gift taxes upon transfer; (2) the deferral of the estate, generation skipping transfer and gift tax burden; and (3) ensuring for the necessary liquidity to pay the taxes when they become due.  As a result of the present low interest rates and the drop in value of most types of assets, there may be opportunities to engage in some estate planning that may not be available to clients when interest rates rise and values are driven higher.  To learn about how to take advantage of these opportunities in 2012, while we are sure we have them, please click here to read a memorandum  published by Bryan Cave’s  Private Client Group on April 10, 2012.  

Data Breaches:  Will You Be Sued, And Can You Lower Risk?

According to a widely reported study, 90% of organizations have had at least one data breach in the last year and almost 60% had two or more breaches over the year.  In light of headlines describing multimillion-dollar data security breach settlements, it is no surprise that businesses fear the worst.   For a discussion of the litigation risks, range of liability and how businesses can lower the risks associated with security breaches, please click here to read an article written by the Data Privacy and Security Team attorneys and published in Law 360 on April 25, 2012.   

Read More

February 2012 Client Alerts

FINRA Issues Guidance on Protection of Customer Accounts

A recent alert from the Financial Industry Regulatory Authority (“FINRA”) is encouraging broker-dealers to reexamine their policies and procedures relating to protection of customer assets and accounts.  FINRA Regulatory Notice 12-05 advises broker-dealers that FINRA has received an increasing number of reports of customer funds being stolen as a result of instructions e-mailed to firms from customer e-mail accounts that have been compromised.  With that notice, FINRA also issued an Investor Alert advising the public about the reported incidents.  To learn more about the Notice and Alert, please click here to read the Alert published by the White Collar Defense & Investigations and Securities Litigation & Enforcement Client Service Groups and Data Privacy & Security Team on February 6, 2012.

Reporting Cybersecurity Risks — New Obligations for Publicly Traded Companies 

Most companies are aware that they may be required to report data security breaches to consumers and, in some instances, state attorneys general, the FTC, or HHS.  Publicly traded companies should bear in mind that they have to notify another group — their investors.  The SEC last year offered  first-of-its kind guidance on when companies should report cybersecurity incidents in their disclosure statements.  To learn more about the new requirements, please click here to read the Alert published by the Data Privacy & Security Team on February 14, 2012.

DOL Issues Final Fee Disclosure Rule

Earlier this year, the Department of Labor issued a final rule on the disclosure requirements for a contract or arrangement for services to a covered plan to be deemed “reasonable” under Section 408(b)(2) of the Employee Retirement Income Security Act of 1973 (“ERISA”).  These disclosure requirements become effective July 1, 2012 and apply to service contracts and arrangements entered into both before and after that date.  To learn more about the disclosures required and what plans or contracts may be excluded from the rule, please  Click here to read the Alert published by the Employee Benefits and Executive Compensation Client Service Group on February 7, 2012. 

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.