Court Affirms FTC Authority on Cybersecurity Issues
(8/26/15) A Third Circuit U.S. Court of Appeals panel of judges ruled Aug. 24 that the FTC could proceed with its lawsuit against hotel chain Wyndham Worldwide Corp. The suit claims the company violated the FTC Act's unfair business practice provisions when it took inadequate security measures to protect consumer data. As a result, the FTC claims, Wyndham had data breaches that between 2008 and 2009 exposed more than 619,000 payment cards and other consumer information.
Legal experts says the court's decision essentially affirms the FTC's right to oversee and fine U.S. companies for cybersecurity missteps that result in the compromise of personal information and payment.
Based on the court's decision, "it is even clearer that the FTC is the leading agency in the U.S. for data breach matters," says cybersecurity attorney Chris Pierson, who serves as chief security officer of payments provider Viewpost. "Challenging the FTC's authority to regulate unfair/deceptive acts and practices is unlikely to be fruitful in court. The Wyndham case is a seminal case for the FTC for the proposition that the FTC has the power and ability to oversee cybersecurity breach issues as the nation's default regulator."
In a research note, threat-intelligence firm iSight Partners says the ruling reinforces the FTC's authority to punish organizations that fail to take adequate steps to ensure user security. "This creates additional financial risk for enterprises that elect not to make cybersecurity a priority, theoretically pushing organizations to enact effective security policies," according to the research note. "The FTC has provided some resources and guidelines for cybersecurity, and may seek to establish a structure or system for issuing fines in the future."
Other FTC Actions
In addition to its ongoing case against Wyndham, a final FTC ruling is pending in its longstanding breach-related cybersecurity case against medical testing company LabMD. And in July, the FTC charged ID theft protection firm LifeLock with deception, claiming the company violated a 2010 settlement with the commission and 35 state attorneys general by continuing to make deceptive claims about its ID theft protection services and failing to take steps to protect users' data.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the Wyndham ruling could hurt LabMD's case, because the court has now made it clear that the FTC does have the authority to regulate cybersecurity. LabMD has argued, in part, that the FTC does not have jurisdiction.
What the Wyndham case does not make clear, however, is whether the FTC can fine and sue breached businesses that are regulated by other agencies, Nahra adds. "The Wyndham case doesn't address that issue at all, and I can't even try to guess how a court would [rule] based on the Wyndham decision," he says.
Attorney Adam Greene, a partner at law firm Davis Wright and Tremaine in Washington, says the Wyndham ruling leaves many questions about how the FTC will regulate cybersecurity going forward. "The ruling means that entities will need to read the FTC tea leaves to best discern what is 'reasonable' security, as the court did not hold that the FTC has to set forth more specific standards," he says.
And Matt Franko, a senior management consultant at forensics and security assessment firm SecureState, contends that giving more government agencies authority to oversee corporate cybersecurity, as the Wyndham ruling does, won't be good for business.
"The government seems to be allowing all industries to govern themselves, until they prove they cannot get their own houses in order," Franko says. "Now they're stepping in, with the courts' help, and levying fines and lawsuits in attempt to rectify the situation." For additional information, please see this article.
Source: CU Info Security
12 Red Flags for "Funnel Accounts" Used to Launder Money
Regulatory and law enforcement agencies are cautioning financial institutions about an increased use of illegal funnel accounts to launder proceeds from human smuggling, human trafficking and drug trafficking crimes. In light of the recent attention on this money laundering trend, I thought it would be useful to provide a brief overview of funnel accounts and how they are used to launder criminal proceeds.
What is a "funnel account"?
A funnel account (sometimes referred to as an interstate funnel account) is a method used to launder money that exploits branch networks of financial institutions. It involves illegal funds deposited into an account at one geographic location that gives criminals immediate access to the money via withdrawals in a different geographic location. The transaction amounts are kept under the AML reporting requirements in an attempt to avoid detection.
How Criminal Enterprises Use Funnel Accounts
Funnel accounts are opened by criminal organizations in the geographic area where the funds will be withdrawn, often locations along the southwest border of the U.S. The criminal organization provides the account number to co-conspirators around the U.S. who make cash deposits into the account from various geographic locations. The illicit funds are then immediately available for withdrawal by the criminal organization in the state in which the account was opened.
Alien smuggling organizations (ASOs) often use funnel accounts to receive illicit proceeds from U.S. based family members of foreign nationals living in Mexico and Central America who pay “coyotes” to smuggle their relatives into the United States across the southwest border. Deposits into funnel accounts can occur anywhere in the U.S. since individuals making payments to smuggling organizations can live in any part of the country.
Red Flags Indicators for Funnel Accounts
U.S. Immigration and Customs Enforcement (ICE) recently featured the topic of funnel accounts in their publication Cornerstone Report and provided the red flags listed below as potential indicators of this type of money laundering scheme.
- Account(s) with multiple deposits which are shortly transferred to other accounts
- Accounts with high aggregate dollar deposit activity but with low account balances
- Accounts with deposits from multiple, different individuals or companies
- Accounts with multiple deposits from multiple locations outside the banking area
- Accounts with multiple deposits from multiple sources (e.g., cash, ATM deposits, checks, wire transfers, etc.)
- Accounts opened in the U.S., by individuals temporarily within the U.S. who are bearing immigration identity documents (such as border crossing cards), then used to wire transfer funds back to Mexico
- Deposits are immediately (or within 1 to 2 days) withdrawn or wired from the account
- Accounts with an unusually high number of charge-backs
- Financial activity not commensurate with stated business or occupation of the depositing individual
- Anonymous cash deposits made in destination states [interior states] followed by rapid cash withdrawals made in source states [border states]
- Abrupt change in account activity
- Branch-shopping at various financial institutions to disguise nexus of the deposited funds with movements across the U.S. international borders.
Financial institutions would be well advised to incorporate these red flag indicators into their suspicious activity detection initiatives.
FTC Consumer Privacy Conference announced
The Federal Trade Commission has announced it will host PrivacyCon, a conference examining cutting-edge research and trends in protecting consumer privacy and security, in Washington, DC on January 14, 2016. The event is the first of its kind and will bring together leading stakeholders, including whitehat researchers, academics, industry representatives, federal policymakers, consumer advocates and others. A PrivacyCon website has been established and more information will be posted at a later date.
Register for OFAC symposium
OFAC has opened the registration for its 2015 Fall Symposium to be held September 22 from 8 a.m. to 4 p.m. ET in Washington, D.C. Note that online registration does not automatically confirm attendance. A separate email will be sent containing registration status. Travel arrangements should not be made until a confirmation email is received.
Providing Sensitive Credit Union and Member Data to NCUA
ALEXANDRIA, Va. (8/27/15)--Recently updated examination procedures from the National Credit Union Administration are intended to strengthen safeguards for data received electronically during an examination.
The changes, detailed in a letter sent to credit union CEOs last week, are based on recommendations the NCUA’s Office of the Inspector General made in June.
The NCUA defines “sensitive data” as: information which by itself, or in combination with other information, could be used to cause harm to a credit union, credit union member or any other party external to the NCUA; and any information concerning a person or their account which is not public information, including any non-public personally identifiable information.
“In order to ensure sensitive electronic credit union and member data is well protected, the data held by NCUA needs to be encrypted,” reads the letter, signed by Larry Fazio, director of the NCUA’s Office of Examination and Insurance. “The process of exchanging this data between credit unions and examiners also needs to be secure and well controlled.”
Effective immediately, NCUA examiners may only accept sensitive data electronically through:
Secure electronic transmission or transfer by removable media, including encryption. The data files or the electronic transmission conveying the files must be encrypted. Encryption must have 128-bit encryption and the use of a strong password (minimum eight characters, mixture of upper- and lowercase letters, numerals and special characters). The password must be provided separately from the device or transmission; and
In-person transfer by removable media not including encryption. If a credit union is unable or unwilling to provide data as mandated in the previous option, it may accept data if a credit union representative provides the data files to the examiner and remains physically present while the examiner transfers the data to the NCUA’s encrypted equipment.
“The above protocols reflect the initial steps NCUA is taking to strengthen the safeguards for sensitive data received electronically from a credit union during an examination,” the letter reads. “NCUA is in the process of acquiring a secure file transfer solution (such as an online portal) to facilitate examiner staff and credit unions securely and efficiently exchanging information.”
Fazio added that agency aims to have such a solution in place early in 2016.