Last week, the Federal Financial Institutions Examination Council (FFIEC) issued updated guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees and third parties accessing digital banking services and information systems.
The five parts of the guidance include:
— Highlights the current cybersecurity threat environment including increased remote access by customers and users and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities.
— Recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
— Supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
— Discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
— Includes examples of authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management.
Officials indicated the new guidance replaces previous documents issued in 2005 and 2011.
The FFIEC was established in March 1979 to prescribe uniform principles, standards and report forms and to promote uniformity in the supervision of financial institutions. It also conducts schools for examiners employed by the five federal member agencies represented on the FFIEC and makes those schools available to employees of state agencies that supervise financial institutions.
The council consists of six voting members from the Federal Reserve System, the Federal Deposit Insurance Corp., the Consumer Financial Protection Bureau, the Comptroller of the Currency the National Credit Union Administration, and the chairman of the State Liaison Committee.
The new guidance can be downloaded via this website.
A measure was recently introduced in the U.S. Senate that aims to create another agency on par with the Consumer Financial Protection Bureau but for regulatory oversight of data.
Sen. Kirsten Gillibrand recently announced her renewed legislation — the Data Protection Act of 2021 — would create the Data Protection Agency (DPA), an independent federal agency that, according to the New York Democrat, would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent.
First introduced last year, Gillibrand explained in a news release that the updated legislation has undergone significant improvements, including:
— Updated provisions to protect against privacy harms and discrimination
— Overseeing the use of high-risk data practices
— Examine and propose remedies for the social, ethical, and economic impacts of data collection.
Additionally, Gillibrand said the DPA would have the authority and resources to effectively enforce data protection rules — created either by itself or Congress — and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief and equitable remedies.
The lawmaker went on to say the DPA would promote data protection and privacy innovation across public and private sectors, developing model privacy and data protection standards, guidelines, and policies for use by the private sector.
The U.S. is one of the only democracies, and the only member of the Organization for Economic Cooperation and Development (OECD), without a federal data protection agency.
Sen. Sherrod Brown, an Ohio Democrat, is an original co-sponsor of the Data Protection Act.
“In today’s digital age, Big Tech companies are free to sell individuals’ data to the highest bidder without fear of real consequences, posing a severe threat to modern-day privacy and civil rights. A data privacy crisis is looming over the everyday lives of Americans and we need to hold these bad actors accountable,” Gillibrand said.
“It’s critical that we modernize the way we handle technology, which is why I first introduced the Data Protection Act last year, in order to create an executive agency whose sole job is to protect data and privacy,” she continued. “The new and improved DPA of 2021 takes on even bigger and bolder reforms, including provisions to help the DPA address Big Tech mergers, penalize high-risk data practices, and establish a DPA Office of Civil Rights.
“The U.S. needs a new approach to privacy and data protection and it’s Congress’ duty to step forward and seek answers that will give Americans meaningful protection from private companies that value profits over people,” Gillibrand went on to say.
And Brown, who is chairman of the Senate Committee on Banking, Housing, and Urban Affairs, added these points.
“Facebook, YouTube, and other big tech companies have abused millions of users’ data, and paying fines has become part of the cost of doing business,” Brown said. “We need stronger protections for people’s personal data. That means a robust independent data protection agency like the CFPB, with the tools and resources to protect people’s data and privacy.”
A synopsis of the proposal is available on this website while the entire Senate measure can be downloaded via this page.
Franchised dealerships in the Golden State now have another resource to foster compliance with privacy regulation set to be implemented in less than a year.
According to a news release distributed on Tuesday, Helion Technologies has partnered with the California New Car Dealers Association (CNCDA) to educate dealers on how to comply with the California Consumer Privacy Act (CCPA). Officials explained the sweeping new privacy law takes effect in January, imposing new data security standards on dealerships located in California as well as third-party vendors that access and/or store customer data from these dealerships.
In a nutshell, Helion Technologies indicated the CCPA requires businesses to implement “reasonable measures” to protect consumers’ personal data. The California attorney general defined “reasonable measures” as compliance with 20 controls established by the Center for Internet Security.
“For most dealers, compliance will require significant upgrades to their software, hardware and data security equipment,” said Erik Nachbahr, president and founder of Helion Technologies. “Additionally, dealerships will need to implement internal processes designed to keep data safe, and provide their employees with security awareness training.”
Helion Technologies indicated the CCPA applies to any business that meets one of these requirements:
1. Grosses $25 million or more in revenue
2. Buys, sells or shares personal information for 50,000 or more consumers
3. Derives 50% or more of its revenues from selling consumers’ personal information
The firm pointed out that many dealerships meet the first two requirements. In addition to dealers, the CCPA applies to third parties located outside of California. This situation means that auto manufacturers, dealership management software (DMS) vendors, CRM vendors, marketing vendors and any other entity that dealers share their customers’ personal information with, must also comply with the new law.
Helion Technologies went on to note the CCPA gives more rights to consumers related to how dealerships may collect and use their information. Once the laws take effect, upon a request from a consumer, the firm said dealers will be required to:
• Correct inaccurate consumer data
• Delete the consumer’s personal data unless it’s necessary to do business, as well as delete all of their data from the databases of third parties with which you’ve shared such information
• Restrict processing or sharing of information if the consumer objects to its usage for reasons not related to the purpose for which it was collected; such as usage in direct marketing
• Allow customers to easily opt-out of having their personal information sold to a third party
Dealerships are also required to proactively provide full disclosure to consumers about what their data is used for, who it gets shared with and for what purpose, at the time said data is collected, according to Helion Technologies.
The firm added non-compliance may result in fines and a flood of litigation from consumers.
“CNCDA is excited about our new partnership with Helion and the technical expertise they will bring to our members. We are committed to supporting the necessary outreach and critical education so that California dealers better understand the legal requirements of the CCPA, as well as the most cost-effective ways to keep their dealerships in compliance,” CNCDA president Brian Maas said.
“Helion’s knowledge in data security and technology will be enormously helpful to our dealer members as they navigate bringing their networks up to CCPA standards,” Maas added.
The pending regulation will be discussed in even more detail during the Automotive Intelligence Summit. Mary Ross, president of Californians for Consumer Privacy, and former CIA Counterintelligence Officer and counsel on the House Intelligence Committee, will explore the intersection of data privacy and big data during the event, which runs July 23-25 in Raleigh, N.C. Early bird registration discounts are already available.
