Student Lending Privacy and Data Security Privacy and Data Security Update: Although federal efforts on data security appear to have stalled for now, many states have stepped up their regulation of privacy and data security issues. This session will provide an overview of the current state of play in this important area, with respect to both federal and state efforts, including recent developments in New York. (60 Minutes) Introduction/Moderator: Speaker: Dino Tsibouris, Tsibouris & Associates Dino Tsibouris (614) 360-3133 Dino@Tsibouris.com
Data Breaches Average $6.5M in Damage to US Companies
How much is your customers’ data worth?
Sample Student Loan Breaches Student loan data (2007 - Lost offsite storage media) Theft of portable media holding student loan records (2010 - 3 million affected) Unauthorized website logins (2014 - 1,328 affected) FAFSA auto-populated IRS data into false student loan applications, allowing for fraudulent tax returns (2017 - 100,000 affected)
Federal Privacy
Protecting Student Privacy Act Introduced in Senate April 6, 2017 Amending FERPA No PII to outside parties who do not have a comprehensive information security program Must keep records of those with access to PII Outside parties must: Provide parental access to PII Offer hearings through institution to address data correction, deletion
Federal Disclosures GLBA Model Privacy Notice Applies to financial institutions Initial, annual, and revised privacy notices must be sent to customers FAST Act of 2015 (PL 114-94) eliminated the requirement to deliver annual notices in limited cases
Federal Disclosures GLBA Model Privacy Notice Annual notices eliminated if: NPI not shared in a way that triggers an opt-out right under GLBA or FCRA Section 603 No changes to policies and practices since the last notice Model form is used
Federal Disclosures GLBA Model Privacy Notice CFPB proposed regulations to implement the 2015 amendment in July 2016 Not finalized yet NCUA treats the statutory exemption as effective (16-CU-03) FDIC, CFPB, FRB examination procedures are similar OCC has not provided guidance
FTC Update on COPPA Children’s Online Privacy Protection Act 16 CFR 312 Updated business guidance issued Jun 21, 2017 Adds coverage to “IoT” as well as websites, mobile apps Adds knowledge-based authentication questions and facial recognition to obtain parental consent
FTC Update on COPPA Determine if you collect personal information from kids under 13 Post a compliant privacy policy Notify parents directly before collecting data Get parents’ verifiable consent Honor parents’ ongoing rights Implement reasonable security procedures
FTC Enforcement - Leads Purchasing lists and leads is common in student lending Lists should contain names of persons who authorized the collection and sharing of their data Contracts for purchase of leads should include representations and warranties ensuring leads have agreed to have their information collected and shared with you 2015 FTC hosted lead generation compliance workshops 2016 took action against a lead generator
State Privacy
Background: California AG Data Breach Report Key Recommendations: “Reasonable security” involves 20 controls (Center for Internet Security’s Critical Security Controls) Multi-factor authentication Strong encryption with portable and desktop devices
State Breach Notification Laws California AB-2828 (1/1/17) (a) A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or,
State Breach Notification Laws California AB-2828 (1/1/17) (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
State Breach Notification Laws California AB-2828 (1/1/17) For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
State Breach Notification Laws Illinois HB1260 (1/1/17) Notify if username and password/security question combination acquired Encryption safe harbor does not apply if key is compromised May notify electronically If entity subject to GLBA, GLBA compliance deemed equivalent
State Breach Notification Laws Nebraska (7/21/16) Nebraska L.B. 835 Includes username or email address combined with password/security question Encryption safe harbor not applicable if key is compromised Notification to Attorney General if consumer notice is required
State Breach Notification Laws New Mexico (6/17/17) HB 15 Notify if “significant risk of identity theft or fraud” Notification within 45 days unless requested by law enforcement Notification to Attorney General and major CRAs if over 1,000 residents
State Breach Notification Laws New Mexico (6/17/17) Must dispose of PII when not needed Contractually require service providers to have reasonable security and protect PII No definition of “reasonable” Does not apply to entities subject to GLBA
State Breach Notification Laws Tennessee (4/1/17) Exception for encrypted data if NIST FIPS 140-2 Compliant 45-day notification time frame extended an additional 45 days if further investigation requested by law enforcement Private right of action Excludes companies subject to Title V of GLBA
State Cybersecurity Regulation New York (3/1/17) Applies to entities regulated by the NY DFS Written annual risk assessment Written cybersecurity policy Written incident response plan
State Cybersecurity Regulation New York (3/1/17) Appointment of a CISO Annual penetration tests (defined) and quarterly vulnerability assessments (undefined) “Adequate staffing” Regular awareness training, updated annually
State Cybersecurity Regulation New York (3/1/17) Maintain audit trail and documentation for six years Encryption in transit and at rest Annual certification to NY DFS
State Cybersecurity Regulation New York (3/1/17) Third party service provider security policy (required within next two years) Multifactor authentication “Risk-based authentication” (undefined) Notify NY DFS within 72 hours of cybersecurity event
State Law Data Breach Considerations Access triggers notification Encrypted data exclusion Risk of harm analysis Notice to AG or regulator Notice within specified time frame Private cause of action Paper records may trigger notice
Privacy Statements and Notices: Putting It In Writing
State Disclosures California Privacy Notice California Online Privacy Protection Act of 2003 Applies if you collect PII from a single California visitor Website privacy policy required: Home page/first significant page on site Linked icon using the word “privacy” in a contrasting color
State Disclosures California Privacy Notice Must include: Categories of PII collected Categories of third parties with whom PII is shared Process for reviewing, requesting changes to PII Describe change notification process Effective date
State Disclosures California Privacy Notice Using GLBA Model Privacy Notice for website privacy notice does not comply with state law requirements
Website Privacy Policies Site MapTerms of UsePrivacy©2017 Member FDIC
Website Privacy
Website Privacy - Updates
Website Privacy - Updates
Mobile Privacy - Updates
Marketplace Lender and Service Provider Compliance Challenges More than one entity with legal terms where the roles of each may not be readily apparent to the consumer Pay particular attention to FDIC/OCC marketplace and third-party guidance Whose legal terms (GLBA, Privacy Policy, Terms of Use, ESIGN) are binding? Are information sharing activities properly disclosed in these documents? Are there any activities that will draw the attention of regulators?
Service Providers
What the right hand giveth… “Vendor agrees that personally identifiable information provided by Lender to Vendor shall be confidential information and shall only be used to perform the services set forth in this agreement.” “Vendor agrees to protect confidential information in accordance with applicable federal, state, and local law.”
…the left hand taketh away? “Vendor shall not be liable for direct, indirect, consequential, exemplary, or any other damages.” “Vendor’s liability shall be limited to an amount equal to the fees paid by Lender to Vendor in the six (6) months prior to date of the act or omission from which Vendor’s liability arises.”
Questions & Answers Dino Tsibouris (614) 360-3133 dino@Tsibouris.com