U.S., U.K. Enforcement Actions Highlight Risks to Corporate Targets of Cyber Incidents
International Criminal Law and Enforcement columnists Vera M. Kachnowski and Peter J. Sluka write: Recent enforcement actions from U.S. and U.K. regulators highlight the risks companies face if their cybersecurity measures are deemed inadequate.
October 25, 2018 at 02:45 PM
8 minute read
With near-daily reports of foreign hacking, exposure of personal information, and corporate data breaches, cybersecurity sits at the forefront in the minds of many, including the federal government and global regulators. This September, the White House announced a new National Cyber Strategy, outlining how the United States intends to respond to vulnerabilities created by a globally-connected cyberspace where individuals, organizations, and nations interact, advance their interests, and hold sensitive data. National Cyber Strategy of the United States of America, September 2018. The strategy committed “to identify[ing] gaps and potential mechanisms for bringing foreign based cyber criminals to justice” and raised the importance of collaborating with international law enforcement given the “borderless nature of cybercrime.” Id. at 11.
Concurrently with this strategy, recent actions by regulators in the U.S. and abroad have made clear that they expect companies to pull their weight by taking adequate cybersecurity measures. Also in September, the Department of Justice's Cybersecurity Unit issued revised guidance on how organizations should anticipate and respond to cybersecurity incidents. Best Practices for Victim Response and Reporting of Cyber Incidents, September 2018. Recent enforcement actions from U.S. and U.K. regulators highlight the risks companies face if their cybersecurity measures are deemed inadequate.
|Voya Financial Advisors
On Sept. 26, 2018, the U.S. Securities and Exchange Commission (SEC) announced a $1 million settlement with registered broker-dealer/investment advisor Voya Financial Advisors (VFA) stemming from “failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.” Press Release, Securities and Exchange Commission, SEC Charges Firm with Deficient Cybersecurity Procedures (Sept. 26, 2018). The SEC charged Voya with violating the Safeguards Rule (17 C.F.R. §248.30(a)) and, for the first time in an enforcement action, the Identity Theft Red Flags Rule (17 C.F.R. §248.201). Both are designed to protect confidential customer information electronically held by financial institutions. The SEC found that VFA had violated these rules by failing “to adopt written policies and procedures reasonably designed to protect customer records and information.” In re Voya Financial Advisors (File No. 3-18840).
The circumstances of VFA's data breach are familiar. VFA employed a web portal through which its contractor representatives could access customers' personally identifiable information and manage accounts. In April 2016, hackers impersonating VFA contractor representatives called the VFA technical support line and asked to reset three representatives' web portal passwords. VFA previously had identified two of the phone numbers used by the imposters as associated with suspected fraudulent activity. Nonetheless, technical support reset the passwords, provided temporary passwords by phone, and, in two instances, also provided usernames to the imposters. VFA kept the accounts active even after one of the real contractor representatives informed the company that he had not requested a new password or changes to his account. Id.
The SEC found that VFA's cybersecurity measures did not “prevent the intruders from obtaining passwords and gaining access to VFA's portal by impersonating two additional representatives over the next several days.” It further blamed VFA's “deficient cybersecurity controls” for failure to timely “terminate the intruders' access to the three representatives' accounts.” Id. Though no known unauthorized customer transactions occurred, the intruders gained access to personal identifying information for at least 5,600 customers and account information for at least one.
The SEC determined that VFA had violated the Safeguards Rule by failing to maintain written policies and procedures that “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Id.; 17 C.F.R. §248.30(a). The SEC found that VFA's policies and procedures on resetting passwords, terminating web portal access, identifying high risk accounts, and creating customer profiles were not reasonably designed to meet these objectives, and that other VFA cybersecurity policies and procedures were not reasonably designed to apply to contractor representatives.
The SEC further determined that VFA had violated the Identity Theft Red Flags Rule's requirement that registered broker-dealers and investment advisers, inter alia, maintain an appropriate written Identity Theft Prevention Program “to detect, prevent, and mitigate identity theft.” The program's policies and procedures, which must be updated periodically, must identify and incorporate relevant red flags, and detect and respond appropriately when red flags occur. 17 C.F.R. § 248.201. In this case, “[a]lthough VFA adopted a written Identity Theft Prevention Program in 2009, VFA violated the Identity Theft Red Flags Rule because it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees. In addition, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected by VFA during the April 2016 intrusion.” In re Voya Financial Advisors (File No. 3-18840).
In reaching the settlement, the SEC credited VFA's prompt remedial efforts—including blocking the intruders' IP addresses, revising policies to prohibit providing temporary passwords by phone, and advising affected customers of the breach and offering free credit monitoring—and its hiring of a new Chief Information Security Officer to help prevent future security breaches. Id.
|Tesco Bank
Across the pond, the Financial Conduct Authority (FCA) announced on Oct. 1, 2018 that it had fined Tesco Bank £16,400,000 (roughly $21,500,000) “for failing to exercise due skill, care and diligence in protecting its personal current account holders” against a November 2016 cyber-attack. Press Release, Financial Conduct Authority, FCA Fines Tesco Bank £16.4m for Failures in 2016 Cyber Attack (Oct. 1, 2018). Tesco's hackers are thought to have used an algorithm to generate new Tesco Bank debit card numbers, then use those “virtual cards” in thousands of unauthorized, contactless debit transactions. Although no customer data was stolen, the FCA determined that deficiencies in Tesco's “design of its debit card, its financial crime controls and in its Financial Crime Operations Team” left personal account holders vulnerable. It deemed the incident, which netted the hackers £2.26 million (roughly $3 million), “largely avoidable.” Final Notice to Tesco Personal Finance Plc (Ref. No. 186022).
It took approximately 21 hours from when the attack on Tesco started for notification to reach the appropriate Fraud Strategy Team. The Fraud Strategy Team promptly made internal changes to block the fraudulent transactions, but ultimately had to engage external experts to uncover the full extent of the breach. When news of the incident reached senior management, they took immediate action to block online and contactless transactions. The FCA determined that “[s]enior managements' actions stopped the fraudulent transactions. They updated customers regularly and deployed significant resources to return customers to their previous financial position.” Id. Although 80 percent of the fraudulent transactions were ultimately stopped, over 8,000 personal accounts had been affected, and customers experienced distress, embarrassment, and inconvenience from the messages they received about the attack and their inability to use their cards. Id.
The FCA found that Tesco Bank had violated FCA Principle 2, which requires a firm to “conduct its business with due skill, care and diligence.” Tesco ran afoul of this principle through defects in its debit card design and fraud detection rules and by failing to address known risks about the source of the fraudulent transactions. Id. The resulting £16.4 million penalty represented a 30 percent discount due to the bank's early settlement; otherwise, the penalty would have been over £23 million (over $30 million). Id.
In assessing the appropriate penalty, the FCA considered Tesco's remedial efforts—which included refunding fees and reimbursing losses—and its full cooperation in the subsequent investigation. Specifically, the bank “independently commissioned expert reports on the root cause of the incident and its financial crime controls. It provided the reports to the Authority and took prompt steps to examine and revise its processes and procedures consistent with the recommendations in the reports … . Tesco Bank also agreed to participate in a symposium to discuss the lessons it learned from the attack with banks, other regulators and law enforcement agencies.” Id.
|Conclusion
Even as law enforcement agencies increase their efforts to combat cybersecurity incidents and hold perpetrators responsible, corporate targets remain at risk of regulatory action following a cybersecurity breach. The recent SEC and FCA actions against VFA and Tesco Bank highlight the need for companies to remain vigilant about ensuring adequate internal protections to avoid hefty fines and penalties and negative publicity. They also underscore the importance of a swift remedial response to any breach, both to stem the impact of the intrusion and to improve standing with regulators who may come calling.
Vera M. Kachnowski is of counsel and Peter J. Sluka is an associate at Schlam Stone & Dolan, where they specialize in white-collar defense and complex civil litigation.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Unraveling of Sean Combs: How Legislation from the #MeToo Movement Brought Diddy Down
When It Comes to Local Law 97 Compliance, You’ve Gotta Have (Good) Faith
8 minute readTrending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250