Ben Giumarra

As transformative technologies are applied to antique laws and regulations, there is confusion over what financial institutions must do to ensure cybersecurity. Some banks completely prohibit all remote laptop use (and, probably, access to this Banker & Tradesman article online), while other banks don’t even take the steps necessary to prevent executives from using overly simplistic passwords to access secure networks.

There are plenty of grey areas in cybersecurity, too. What if a fintech approaches your institution with an innovative idea to use smart speakers (like Amazon Echo or Google Home) in the workplace? Or what if you spot a video-conferencing technology that seems to be a heads-and-shoulders improvement to your current provider, but the company is small and relatively new? Does practicing good cybersecurity foreclose these opportunities?

To make these decisions and “right-size” cybersecurity investments, leaders must grasp the basic legal framework for ensuring cybersecurity. Otherwise, with technical experts seeming to counsel only for never-ending cybersecurity enhancements (adding cost and restricting use) and others seeming to challenge even basic cybersecurity best practices, it will just be a guessing game.

Who Regulates Data Protection?

There’s a lack of centralized and authoritative guidance addressing cybersecurity specifically – it’s not like there is a single law that has all the answers. Instead, to understand the legal requirements we must look at multiple sources and interpret them together.

The first source is simple civil liability, pulled from court cases by private consumers and from actions by state attorneys general. The most successful claims against Target, for example, were based in negligence, in that Target was negligent for both allowing the security breach and then failing to alert consumers.

The simple principle here is that companies must exercise reasonable care in protecting their customers’ private data. When a breach occurs, a company that knew of a security flaw but failed to take adequate steps to address it will be in the worst position.

The Federal Trade Commission (FTC) provides a second source of law on data security through its charter to prohibit unfair or deceptive acts or practices. While “unfair” and “deceptive” are broad terms, FTC has brought more than 50 cases for failure to implement reasonable safeguards for consumer data.

For example, the FTC cited AshleyMadison.com over breach of consumer data that exposed a large number of website users seeking extramarital affairs. The FTC found the company’s “failure to take reasonable steps to prevent unauthorized access to personal information” to be an unfair trade practice. It also found that the company’s claims that its website was “confidential” and “secure” to be deceptive because it did not “take reasonable steps to ensure that [the website] was secure.”

While the FTC remains the top dog when it comes to regulating data security, the financial services industry should also keep an eye out for developments from the Consumer Financial Protection Bureau (CFPB), which could be a sleeping giant on this issue. It has vastly greater resources than the FTC and concentrates its attention on financial institutions. Like the FTC, it has distinct authority to prohibit unfair, deceptive or abusive acts or practices and has actually exercised this authority in at least one enforcement action involving data security.

The CFPB fined online payment platform Dwolla $100,000 in 2016 for “deceptive” acts against consumers by emphasizing the strength of its data security protections in advertising while failing to live up to them. While technically based on a deceptive marketing theory, this may be the groundwork for the CFPB’s own general jurisprudence on cybersecurity. After all, I don’t believe a financial institution could adopt lax security measures and avoid trouble with the CFPB simply by not bragging about data security in advertisements.

New York Offers Best Practices

The last source of law on cybersecurity and data security, and quite possibly the most important, are state-specific laws and regulations. The biggest of the bunch come from New York, although there are significant and recent changes in California, Arizona, Colorado and Vermont. Rollout of New York’s measures has been done in transitions, with the first phase starting in 2017 and the final still to come in 2019. Even if you don’t think the New York rules apply to you, I recommend considering them industry best practices. New York has a history of setting precedent later followed by other states in his arena.

The New York cybersecurity regulation focuses mostly on risk management principles, rather than setting specific standards. This gives the regulation room to grow as technology changes. For example, the regulation requires institutions to designate a chief information security officer and mandates annual reports to senior leadership. It also has more practical components too, such as a general requirement for multi-factor authentication. Even institutions not operating in New York can voluntarily adopt these standards. It’s the best overall framework on what institutions should be doing to ensure cybersecurity.

Ben Giumarra is the director of legal and regulatory affairs at Embrace Home Loans. He may be reached at bgiumarra@embracehomeloans.com.