In its Winter 2015 Supervisory Insights, the FDIC issued a clear warning to financial institutions that they must make cybersecurity a top priority and outlined the top cyber threats that banks need to monitor and address, including malware, distributed denial-of-service and compound attacks. The FDIC said that financial institutions must place immediate focus on:
Corporate Governance of Cybersecurity: A financial institution’s Board of Directors and executive management must create a corporate culture that prioritizes cybersecurity, managing cyber risk as they do any other business risk.
Training and Education: Financial institutions must educate employees, contractors and customers about cybersecurity threats, highlighting the risk in each business function. Everyone — from the Board to entry-level employees — should participate in mandatory cybersecurity awareness training, since it only takes a misstep from one person to put the entire enterprise at risk. Training should be specific to each job function. Internal programs to fix known and potential vulnerabilities (“patch management”) should be implemented. Organizations should use both internal and external audits to determine the effectiveness of their cybersecurity programs.
Regulatory Response and Resources: Organizations need to take advantage of regulatory agency resources like the FDIC’s “Cyber Challenge” and the FFIEC’s 2014 Security Assessment to develop effective cybersecurity programs and routinely self-assess.
California Data Breach Notification Requirements
As of January 1, 2016, California’s new data breach notification requirements are in effect and include:
A new format for data breach notices requires that the notice be in plain language, use at least 10 pt. type and be titled, “Notice of Data Breach.” In addition, the notice must include the following five headings:
- What Happened
- What Information Was Involved
- What We Are Doing
- What You Can Do
- For More Information
California allows for “substitute notice” when a company must notify more than 500,000 residents or if the cost of a notification would exceed $250,000. The new law outlines how a company may provide substitute notice in California, including email, website posting for a minimum of 30 days and notifying statewide media as well as the California Department of Technology’s Office of Information.
However, if the breach only involves a resident’s username or email address for an online account in combination with the password or security question, then a company may notify the affected resident via email and advise them to change their password and security question.
While California does not require a breach notice that involves encrypted data, the law has never previously defined “encrypted.” This has now been remedied with the following definition:
“Rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
In addition, the definition of “personal information” has been expanded to include license plate information or information that has been collected via an automated license plate recognition system when that information is associated with an individual’s name.
The attorneys at Glass & Goldberg in California provide high quality, cost-effective legal services and advice for clients in all aspects of commercial compliance, business litigation and transactional law. Call us at (818) 888-2220, send an email inquiry to [email protected] or visit us online at glassgoldberg.com to learn more about the firm and to sign up for future newsletters.