DinoTsibouriscom Student Lending Privacy and Data Security Data Breaches Average 65M in Damage to US Companies How much is your customers data worth Sample Student Loan Breaches Student loan data 2007 Lost offsite storage media ID: 794312
Download The PPT/PDF document "Dino Tsibouris (614) 360-3133" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Dino Tsibouris(614) 360-3133Dino@Tsibouris.com
Student Lending
Privacy and Data Security
Slide2Data Breaches Average $6.5M in Damage to US Companies
Slide3How much is your customers’ data worth?
Slide4Sample Student Loan BreachesStudent loan data (2007 - Lost offsite storage media)Theft of portable media holding student loan records (2010 - 3 million affected)Unauthorized website logins (2014 - 1,328 affected)FAFSA auto-populated IRS data into false student loan applications, allowing for fraudulent tax returns (2017 - 100,000 affected)
Slide5Slide6Federal Privacy
Slide7Protecting Student Privacy ActIntroduced in Senate April 6, 2017Amending FERPANo PII to outside parties who do not have a comprehensive information security programMust keep records of those with access to PIIOutside parties must:Provide
parental access to PIIOffer hearings through institution to address data correction, deletion
Slide8Federal DisclosuresGLBA Model Privacy NoticeApplies to financial institutionsInitial, annual, and revised privacy notices must be sent to customersFAST Act of 2015 (PL 114-94) eliminated the requirement to deliver annual notices
in limited cases
Slide9Slide10Federal DisclosuresGLBA Model Privacy NoticeAnnual notices eliminated if:NPI not shared in a way that triggers an opt-out right under GLBA or FCRA Section 603No changes to policies and practices since the last notice
Model form is used
Slide11Federal DisclosuresGLBA Model Privacy NoticeCFPB proposed regulations to implement the 2015 amendment in July 2016Not finalized yetNCUA treats the statutory exemption as effective (16-CU-03)FDIC, CFPB, FRB examination procedures are similarOCC has not provided guidance
Slide12FTC Update on COPPAChildren’s Online Privacy Protection Act16 CFR 312Updated business guidance issued Jun 21, 2017Adds coverage to “IoT” as well as websites, mobile appsAdds knowledge-based authentication questions and facial recognition to obtain parental consent
Slide13Slide14FTC Update on COPPADetermine if you collect personal information from kids under 13Post a compliant privacy policyNotify parents directly before collecting data
Get parents’ verifiable consentHonor parents’ ongoing rightsImplement reasonable security procedures
Slide15FTC Enforcement - LeadsPurchasing lists and leads is common in student lendingLists should contain names of persons who authorized the collection and sharing of their dataContracts for purchase of leads should include representations and warranties ensuring leads have agreed to have their information collected and shared with you2015 FTC hosted lead generation compliance workshops2016 took action against a lead generator
Slide16Slide17Slide18Slide19State Privacy
Slide20Background:California AG Data Breach Report Key Recommendations:“Reasonable security” involves 20 controls (Center for Internet Security’s Critical Security Controls)Multi-factor authenticationStrong encryption with portable and desktop devices
Slide21State Breach Notification LawsCalifornia AB-2828 (1/1/17)(a) A person or business that conducts business in California
, and that owns or licenses computerized data that includes personal information
, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose
unencrypted
personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or,
Slide22State Breach Notification LawsCalifornia AB-2828 (1/1/17)(2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been,
acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Slide23State Breach Notification LawsCalifornia AB-2828 (1/1/17)For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
Slide24State Breach Notification LawsIllinois HB1260 (1/1/17)Notify if username and password/security question combination acquiredEncryption safe harbor does not apply if key is compromisedMay notify electronically
If entity subject to GLBA, GLBA compliance deemed equivalent
Slide25State Breach Notification LawsNebraska (7/21/16)Nebraska L.B. 835Includes username or email address combined with password/security questionEncryption safe harbor not applicable if key is compromisedNotification to Attorney General if consumer notice is required
Slide26State Breach Notification LawsNew Mexico (6/17/17)HB 15Notify if “significant risk of identity theft or fraud”Notification within 45 days unless requested by law enforcementNotification to Attorney General and major CRAs if over 1,000 residents
Slide27State Breach Notification LawsNew Mexico (6/17/17)Must dispose of PII when not neededContractually require service providers to have reasonable security and protect PIINo definition of “reasonable”Does not apply to entities subject to GLBA
Slide28State Breach Notification LawsTennessee (4/1/17)Exception for encrypted data if NIST FIPS 140-2 Compliant45-day notification time frame extended an additional 45 days if further investigation requested by law enforcementPrivate right of actionExcludes companies subject to Title V of GLBA
Slide29State Cybersecurity RegulationNew York (3/1/17)Applies to entities regulated by the NY DFSWritten annual risk assessmentWritten cybersecurity policyWritten incident response plan
Slide30State Cybersecurity RegulationNew York (3/1/17)Appointment of a CISO Annual penetration tests (defined) and quarterly vulnerability assessments (undefined)“Adequate staffing”
Regular awareness training, updated annually
Slide31State Cybersecurity RegulationNew York (3/1/17)Maintain audit trail and documentation for six yearsEncryption in transit and at restAnnual certification to NY DFS
Slide32State Cybersecurity RegulationNew York (3/1/17)Third party service provider security policy (required within next two years)Multifactor authentication“Risk-based authentication” (undefined)Notify NY DFS within 72 hours of cybersecurity event
Slide33State Law Data Breach ConsiderationsAccess triggers notificationEncrypted data exclusionRisk of harm analysis
Notice to AG or regulatorNotice within specified time framePrivate cause of action
Paper records may trigger notice
Slide34Privacy Statements and Notices: Putting It In Writing
Slide35Slide36State DisclosuresCalifornia Privacy Notice
California Online Privacy Protection Act of 2003Applies if you collect PII from a single California visitorWebsite privacy policy required
:Home page/first significant page on siteLinked icon using the word “privacy” in a contrasting color
Slide37State DisclosuresCalifornia Privacy Notice
Must include:Categories of PII collected
Categories of third parties with whom PII is sharedProcess for reviewing, requesting changes to PIIDescribe change notification process
Effective
date
Slide38State DisclosuresCalifornia Privacy Notice
Using GLBA Model Privacy Notice for website privacy notice does not comply with state law requirements
Slide39Slide40Website Privacy PoliciesSite MapTerms of Use
Privacy©2017 Member FDIC
Slide41Website Privacy
Slide42Website Privacy - Updates
Slide43Website Privacy - Updates
Slide44Mobile Privacy - Updates
Slide45Marketplace Lender and Service Provider Compliance ChallengesMore than one entity with legal terms where the roles of each may not be readily apparent to the consumerPay particular attention to FDIC/OCC marketplace and third-party guidanceWhose legal terms (GLBA, Privacy Policy, Terms of Use, ESIGN) are binding?Are information sharing activities properly disclosed in these documents? Are there any activities that will draw the attention of regulators?
Slide46Service Providers
Slide47What the right hand giveth…“Vendor agrees that personally identifiable information provided by Lender to Vendor shall be confidential information and shall only be used to perform the services set forth in this agreement.”“Vendor agrees to protect confidential information in accordance with applicable federal, state, and local law.”
Slide48…the left hand taketh away?“Vendor shall not be liable for direct, indirect, consequential, exemplary, or any other damages.”“Vendor’s liability shall be limited to an amount equal to the fees paid by Lender to Vendor in the six (6) months prior to date of the act or omission from which Vendor’s liability arises.”
Slide49Questions & Answers
Dino Tsibouris
(614) 360-3133dino@Tsibouris.com