Data Security Considerations for FinTech Companies
By Ian C. Wildgoose Brown, WilmerHale
I. Introduction; the General Rule
Businesses that straddle the worlds of finance and technology are subject to a regulatory patchwork that is only increasing in complexity as governments take a greater interest in privacy, data security and consumer protection.1 As these two worlds converge, an increasing number of businesses will become subject to existing regulatory regimes as well as new initiatives from government agencies and industry players. Whether your business deals with individual or institutional customers, you are likely subject to a variety of legal and practical constraints in operating your business.
Data security and privacy standards for companies in the financial sector are generally well-settled, at least in theory. Companies generally must maintain reasonable procedures to protect sensitive information. However, this determination is highly context-specific: whether your security practices are reasonable depends on the nature and size of your business, the types of information you collect or have access to, the data security tools available to you based on your company’s resources, and the particular security risks your business is likely to face.2 In addition to this general rule, there are a number of statutes that impose specific obligations on certain types of businesses operating in this space.
II. Are You a “Financial Institution”?
The term “financial institution” is defined broadly under many of the laws that apply to the finance industry. In general, financial institutions include traditional commercial and investment banks as well as money services businesses such as money transmitters, cheque cashers, and sellers or issuers of stored value. However, companies like Facebook, which operate in apparently unrelated spaces, are warning in their disclosure documents that they could be subject to these laws.3 Whether your business is subject to these laws depends on the substance of your company’s activities.
For example, the Gramm-Leach-Bliley Act (which cross-references to the Bank Holding Company Act of 1956) imposes its data security and data-sharing standards on businesses that engage in general categories of “financial” activities. These activities include safeguarding or transacting in money or securities, lending, insuring, or providing financial, investment, or economic advice.4 A patchwork of state “money transmitter” laws in states such as New York, New Jersey, Connecticut, Massachusetts and California supplement applicable federal laws. These state laws typically apply to non-bank companies engaging in activities within the state that facilitate consumer payments via funds that are kept, retrieved and transferred electronically—such as selling, issuing or exchanging “payment instruments” (substitutes for cash or value-holders), receiving money for transmission or transmitting money, and handling information connected with transactions in money or payment instruments. (Companies such as Facebook, Amazon, Google and PayPal are licensed money transmitters in California5 and other states.) These laws typically require companies to obtain a license to operate and impose audit and corresponding data retention and records requirements.
Further, liberal interpretation of the definition of “financial institution” by regulating agencies under a variety of laws could capture not only banks and traditional financial institutions but also the service providers they contract with. And whether or not you are directly regulated, if you provide services to financial institutions then you are contracting with counterparties who are—and who are thinking of their own privacy and data security obligations as they negotiate their contracts with you. Their duty to safeguard information extends to situations where an institution makes the information available to third-party service providers. This legal backdrop will influence your negotiations and will affect how potential institutional customers view your business and practices.
III. Potential Implications of Being a Financial Institution
Data security breaches can result in direct liability to your company. For example, regulations under the Gramm-Leach-Bliley Act (discussed above) place responsibility for data security directly with the board of directors. And the Sarbanes-Oxley Act (applicable to public companies) makes the CEO and CFO responsible.6 Industry organizations such as the PCI Security Standards Council7 may also supply practices that can be used to inform your standard of care as a service provider.
Recent enforcement activity by regulators has targeted compliance and other issues involving companies that work with financial institutions. The Consumer Financial Protection Bureau’s activities are of particular note for FinTech companies. The CFPB’s mandate is to focus on consumer protection in markets for consumer financial products and services. This mandate extends beyond banks and financial institutions alone8: the CFPB’s early enforcement actions have encompassed practices of service providers.
Breaches can also involve the allocation of financial losses among separate commercial entities. Personal information stolen from you, as a service provider who holds confidential information on behalf of a financial institution you provide services to, may injure that financial institution. It may need to take costly action to protect its customers and prevent losses on fraudulent transactions as a result of the breach—and may experience reputational damages as well. Provisions in your contract may allocate responsibility for such costs, which can be significant in relation to the size of your business, since guidance issued by federal banking regulators requires financial institutions to consider what protective measures are needed to safeguard personal information they permit third-party service providers to use.9 Case law also address such disputes.10 Cases deal with such issues as allocation of losses arising from cardholder data stolen from a merchant who failed to comply with Visa’s security procedures requiring merchants to delete information captured from the magnetic strip on Visa payment cards after processing the transactions. This potential liability raises the stakes in your negotiations with financial institutions, even if your business is not itself a “financial institution”.
At the least your contract will include terms providing for some degree of ongoing oversight of your activities. The CFPB has announced its “expectation” that financial institutions oversee their service providers in a manner that ensures compliance with federal consumer financial protection law.11 Similarly, in recently updated policy statements in its IT Examination Handbook,12 the Federal Financial Institutions Examination Council reaffirmed that a financial institution’s board of directors and management has a duty to ensure that activities by third-party service providers, including FinTech companies, are conducted in a safe and sound manner and in compliance with applicable laws and regulations. To this end the FFIEC recently published a revised version of its Supervision of Technology of Service Providers guidelines.13 The FFIEC’s focus in examining financial institutions is to ensure that weaknesses are addressed and risks are properly managed. Its examiners evaluate a financial institution’s – or a technology service provider’s – overall risk exposure and risk management performance. They apply a risk-based examination system based primarily on the following factors to determine overall levels of risk that technology service providers present to their client financial institutions:
- Board oversight. Level of involvement of the company’s board.
- Technical and managerial expertise. Competence and proactive approach by management.
- Policies and procedures. Quality, adequacy, and operation of policies and procedures relating to technology risks and data security.
- Audit and internal controls. Quality, adequacy, and operation of audit and internal controls, including levels of complaints and incidents or “red flags”.
These frameworks and priorities influence the way financial institutions should think about their relationships with technology service providers. Your data security processes and procedures can be a valuable marketing tool. But knowing the obligations and the standards of care that you or your counterparty are subject to should also inform your contract negotiations and can help you understand what you can or should agree to.
IV. Overview of Legal Requirements
There is no single comprehensive body of law on liability for data security breaches. Instead there is a patchwork of federal, state, and regulatory laws whose effects vary depending on context. But the following are certain key requirements imposed by various laws that you should be aware of as a player in the finance sector. In general, applicable law requires a process-based approach to the development and maintenance of a comprehensive security program. This means that the steps you take as a business to preempt privacy and data security breaches (as well as thoroughly documenting those steps) are of paramount importance in establishing your legal compliance.
Your company must have reasonable written policies and procedures to ensure the security and confidentiality of customer information and to protect against unauthorized access to or use of that information, both by third parties and your own employees.14 Multiple federal agencies enforce these requirements, and have published interagency guidelines establishing standards in this area.15 If your business falls within the definition of a “financial institution” but you are not regulated by a specific banking agency, you may nevertheless fall within the ambit of the FTC’s Safeguards Rule,16 which the FTC enforces based on similar principles.17 However, your business will also be subject to common law requirements similarly flexible in scope. Class actions such as those brought against ChoicePoint in the early days of data security litigation are good examples. Those cases involved allegations both of failure to implement adequate security measures and of commensurate failure to timely and fully disclose the breaches once they occurred.18 Unfortunately there are no hard-and-fast rules, and the determination is context-specific. For instance, one court19 has decided that encryption of sensitive personal data is not a mandatory requirement in all circumstances, but another20 imposed liability where no steps were taken to protect similar data from foreseeable risk of a security breach. And certain FTC settlements have resulted in express commitments from businesses to store data in a format that cannot be meaningfully interpreted if opened as a flat plain-text file, or in a location that is physically inaccessible to unauthorized persons or that is protected by a firewall.21
Government agencies do not only assess whether companies have established and are complying with appropriate policies, procedures, and processes that allow identification and reporting of suspicious activity. They also require assurance that companies can provide sufficient detail in reports to law enforcement agencies so that those reports are useful in investigating any suspicious transactions that are reported.22 Data retention is a common area of regulation with this end in mind. For instance, public companies (some of which you might work with or provide services to) are subject to Sarbanes-Oxley, which imposes its own data retention standards.23 And, as a private company, you should be ready for audits by federal or state regulatory agencies probing for weaknesses that they think may threaten consumers—audits that will center on an examination of your records and that will require you to explain any gaps.
The flip-side of effective data retention is appropriate data disposal. Keeping information you do not reasonably need to retain increases the likelihood of incurring liability in the event of a data security breach. Further, certain types of business are specifically targeted by legislators and regulators. For example, if your business involves collecting credit or consumer reports, then you are subject to the obligation to take various measures to prevent identity theft. Key among these requirements is having and complying with appropriate procedures relating to data disposal.24
Treatment consistent with promises
Disclosure of breaches
You have a general duty to disclose security breaches to those who may be adversely affected by any such breach. This duty is based primarily on state law,28 but also on certain key cases29 and federal agency guidelines.30 The kind of event that triggers a disclosure obligation therefore varies depending on the rules specifically applicable to your business. This uncertainty reinforces the importance of having robust processes for detecting breaches that could obligate you to inform or warn your customers, the government, or others. And of course the existence of the laws themselves underscore the importance of taking steps to reduce risk of having to make a disclosure in the first place, thereby avoiding the reputational damage that could result.
The objective of these standards is generally to shield your company’s systems and information against unauthorized access, use, disclosure, or transfer, but also against modification or alteration, processing, or accidental loss or destruction. In designing safeguards, you should remember that the source of threats to your data security can be internal as well as external to your organization.
There are further legal requirements that apply if your business touches the EU. EU law specifically creates an individual right of access to any controller of personal data, broadly and with regard to any data processing function.31 Under a proposed new law, U.S. companies would have to ensure that use and storage of EU citizens’ personal data affords the same level of protection that such citizens are afforded within the EU.32
V. Best Practices and Guidelines
It is important for your business to establish clear processes that effectively address data security issues. The cost of implementing security measures – particularly relative to the size of your business – is a factor in determining the reasonableness of your precautions.33 However, no FinTech business is exempt from the standard and any breach will be evaluated in hindsight. Your focus should be on risk assessment, and on adopting security controls that are responsive to the particular threats your company faces.
Your board of directors should provide strategic oversight regarding information security policy and practices.34You should ensure that the board understands how critical information and information security is to your organization, and you should endorse the development and implementation of a comprehensive information security program. You should advocate your company’s investment in information security and clearly document those investments as they occur. As a management team, a key procedural step is regularly reporting to the board on the adequacy and effectiveness of your company’s program.
The obligations that apply to financial institutions in particular are supplemented by a set of practices, many of which are recommended by government or industry bodies, that can create “good facts” for your business as you try to establish that your data security practices are reasonable. The following is a general overview of some of these best practices.
Have an executive officer with dedicated data security responsibility. Some experts point to major companies’ failure to place people in charge of data security in positions high-ranking enough in the corporate hierarchy.35 Creating a flatter organizational structure presents FinTech companies with an opportunity to differentiate themselves from larger competitors by having a data security officer with direct access to his or her fellow management team and to the board. The EU is moving in this direction: one proposed directive would require all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals, and all public authorities to formally appoint a data protection officer.36
Implement preconceived processes and procedures. Reduce in-the-moment thinking, increase automation and response.37 Setting up internal data security controls improves your company’s regulatory compliance38and allows financial institutions you work with to assure themselves that they are satisfying their own regulatory compliance obligations. The process39 involves the following steps:
- Asset assessment. Identify those systems and information that need to be protected.
- Risk assessment. Regularly evaluate the particular threats to data security that you face (internal and external), the likelihood that those threats will come to pass, and the potential costs associated with those threats.
- Development. Develop and implement security measures designed to manage and control the specific risks you’ve identified in your risk assessment.
- Education. Educate your employees and contractors on an ongoing basis.
- Monitoring and testing. Ensure that your program is properly implemented and effective.
- Review and adjustment. Revise your program in light of your changing security needs.
Implement—and use—network security protections. Some companies that have access to sensitive information maintain strict policies on handling and transmitting data by employees, particularly through third-party servers.40 Allowing confidential data to be stored outside your firewall creates opportunities for targeted eavesdropping (use of programs to analyze the way multiple programs running simultaneously on the same operating system share memory space)41 or relay or man-in-the-middle attacks (real-time insertion between the reader/recipient of a message and the victim of the attack).42 Imaginative, proactive strategies for incentivizing employees to follow seemingly-burdensome data security procedures can help address such potential risks.43Industry standards such as the Payment Card Industry Data Security Standard, summarized below,44 provide useful guidelines for specific steps you can take.
- Build and maintain a secure network. Install and maintain a firewall configuration to protect sensitive data. Do not use vendor-supplied defaults for system passwords and other security parameters. Encrypt transmission of sensitive data across open, public networks. Use and regularly update anti-virus software.
- Implement strong access control measures. Restrict access to sensitive data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to sensitive data.
- Regularly monitor and test networks. Track and monitor all access to network resources and sensitive data. Regularly test security systems and processes. Monitor developments in security and processing software to avoid falling behind.45
Be cautious about the cloud. The financial sector has been seen as ripe for use of cloud computing, but such developments raise data security issues.46 Public cloud services are becoming a favorite target of data thieves.47 And such third-party servers may be compelled to give up data in response to a subpoena—potentially circumventing privacy laws48 and thereby undermining customer confidence in your FinTech company in a way that is unrelated to your business and out of your control.
Monitor developments and learn from past events.49 A legal standard based on reasonableness is a moving target. As data security practices change, and as technology and security threats evolve in tandem, the measures you will have to take will likewise evolve. Avoid succumbing to a false sense of security50 by conducting periodic internal reviews and monitoring external developments and current events. Then take easily-documented and established steps in response to these reviews. For example, increasing numbers of online repositories of personal data are switching to HTTPS for their online presence/interface. This step is not yet broadly mandated, but settlements with certain key industry players, such as Google51 and Twitter52, have set the tone. The FTC has continued to provide updated guidance53 on its priorities in the realm of privacy and data security. And as discussed above, new rules and standards from the CFPB and FFIEC affect, both directly and indirectly, the FinTech sector. As a FinTech company, you should monitor such practices and guidance, and implement those elements that are reasonably applicable to your business and reasonable in cost.
The consequences to your company’s finances and reputation can be significant where any kind of personal data is compromised.54 In short, data security is a process not a product.
The financial sector’s context-specific regulatory approach is likely to be put to the test as the balance of market power between established financial institutions on the one hand and startups and nontraditional industry players on the other. Traditional financial institutions may now have the advantage in emerging markets such as mobile payments because they have proven security measures and solid reputations, but that could change quickly as new entrants challenge established players with new innovative offerings from equally powerful companies55 and nimble software-as-a-service businesses56 alike. But these newer or smaller players may not have the same experience dealing with and protecting sensitive information as they enter the finance industry. The problem is amplified with the increasing focus on mobile devices and the intersection of finance and tech in mobile payments: “In addition to financial information, mobile devices store tremendous amounts of personal and commercial data that may attract both targeted and mass-scale attacks.”57
Responding to these constraints and adhering to best practices can have their own benefits in addition to reducing legal risks. The increasing prevalence of software-as-a-service businesses used by financial institutions and by other types of companies outsourcing their financial-related processes means that a single data security breach is amplified and raises the stakes for both you and your competitors.58 A strong data security record is a valuable asset in an increasingly crowded marketplace.
Ian C. Wildgoose Brown is an associate in the Transactional Department (Corporate) at WilmerHale. He is also a member of the firm’s FinTech Group. Mr. Wildgoose Brown has a general corporate practice with an emphasis on mergers and acquisitions and capital markets transactions for companies at all stages of growth.
© 2013 Wilmer Cutler Pickering Hale and Dorr LLP
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.