Bank Lawyer's Blog

Camden Fine Fires Off A Fine Salvo

2013-05-12T21:47:00-05:00

In recent opinion piece for Bloomberg News, ICBA CEO Camden Fine was in fine fettle, ranting about his favorite topic: new regulatory burdens are strangling community while the largest banks are doing just fine, thank you very much. Among his salient points are the following:

The megabanks are benefiting from what Bloomberg View calculated is an $83 billion annual taxpayer subsidy, the value of implicit guarantees by the U.S. Treasury. Bloomberg View was correct to characterize the too-big-to-fail subsidy as “a major driver of the largest banks’ profits.”

Perversely, Federal Deposit Insurance Corp. data show that large banks have both the lowest credit quality and the lowest cost of funds in the industry. Community banks rank the highest in both categories even though they have had to compete for years against the megabanks’ access to cheaper money in pricing loans. In addition, community banks must compete against the big lenders’ lower comparative costs in handling regulatory paperwork.

While Cam complains that this is "morally wrong," I suspect that in a nation overrun with Pontius Pilates who sneer in the throes of their born-again relativism "What is 'truth'?," appealing to "morality" as a behavior influencer will have as much impact on Congress as a stern talking to by Pope Francis would have on Charlie Sheen. More effective on the morally challenged is likely to be his economic arguments.

Community banks should be putting their capital to work in the small towns, rural communities and middle-class urban enclaves they know well. Instead, they are focusing too many of their precious human resources on onerous paperwork and time-consuming compliance measures.

Community banks are the source of almost 60 percent of all small-business loans of less than $1 million, as well as mortgage and consumer loans tailored to the needs of their local communities. Large banking organizations with more than $50 billion in assets hold almost 40 percent of outstanding small loans to businesses, according to the Federal Reserve, but loans to small businesses aren’t a significant portion of large-bank lending. Small-business loans represent less than 5 percent of the large banks’ total domestic lending.

Cam outlines five specific steps Congress and the federal regulators could take to help community banks (and credit unions, for that matter, although Cam would choke on his own tongue before admitting it). They include:

Easing up on some of the more onerous residential mortgage lending and servicing rules.
Eliminating the requirement that community banks report on every new small business loan application.
Requiring a cost-benefit analysis for all new regulations and prohibiting the issuance of any regulation where the cost exceeds the benefit.
Raising the threshold to $350 million in assets for the requirement for an audit of a bank's internal controls.
Eliminating the annual requirement for sending no-change privacy policies.

These are all helpful suggestions, but I'm frankly surprised that he didn't also call for the carpet bombing of CFPB's D.C. headquarters and insist that Jamie Dimon's king-size bed be short-sheeted. Oh well, the year is not even half over. There's still time to get down to the really important stuff.

One More Black Eye For Payday Lenders

2012-09-17T22:53:00-05:00

Brian Krebs posted a provocative entry today on his blog concerning a potential link between a web site that sells personal information on Americans and that may be obtaining much of its information "from a network of hacked or complicit payday loan sites." Just what the payday lending business needed, more bad publicity.

Users can search for an individual’s information by name, city and state (for .3 credits per search), and from there it costs 2.7 credits per SSN or DOB record (between $1.61 to $2.24 per record, depending on the volume of credits purchased). This portion of the service is remarkably similar to an underground site I profiled last year which sold the same type of information, even offering a reseller plan.

What sets this service apart is the addition of more than 330,000 records (plus more being added each day) that appear to be connected to a satellite of Web sites that negotiate with a variety of lenders to offer payday loans.

Krebs has done some decent detective work, which is way more effort than slackers like the author of this blog would ever undertake, unless someone was paying me to do it, of course. He talked to a number of people whose personal information is being sold, and located one who gave him the name of the payday lending "referral" site she used. Krebs has reached out to that site but, to no one's surprise, he's heard nothing in response but the sound of crickets chirping. Anyone interested in that name should read Krebs' blog post.

Krebs also discusses potential criminal liability for selling someone else's social security number without their consent. Any payday lending sites that are engaged in such activities probably understand that they're skating on thin ice and simply don't care. It may also be the case that the payday lending site information systems have been hacked.

Krebs' last piece of advice to individuals is likely sound, but also likely to cause heartburn to banks.

The next time you call your bank or interact with a company that asks you to authenticate yourself by reciting some or all of your Social Security number, birth date, mother’s maiden name — or any other personal information that you may assume is private — remember that services like this exist. Whenever possible, I think it’s an excellent idea to insist that these entities authenticate you using alternative questions and answers that are truly private to you and to you alone.

The potential problem I see with that approach is that it might be difficult to automate a process to obtain truly unique questions and answers on a person-by-person basis. I'm by no means technologically sophisticated enough to know if that's the case, but I suspect it would be more costly to program a process in which truly unique questions were created by the user as opposed to a relatively small menu of standard questions (mother's maiden name; first job, name of best friend, etc.). Nevertheless, the continued activities of those who push the envelope of what's legally permissible continues to create headaches for the law abiding.

CFPB Solicits Undercover Brothers (And Sisters)

2012-08-16T21:51:00-05:00

Not content with exercising its virtually unchecked "right" to probe into every nook and cranny of a financial institution's affairs (including those protected by attorney-client privilege) in the bright light of day, a recent article in The Washington Times disclosed that our favorite federal watchdog is recruiting operatives "to go undercover to pursue cases against banks, credit card companies and other financial companies."

“As needed,” one recent recruitment ad stated to potential investigators, “establish and conduct surveillance activity to develop both intelligence and evidence to further investigations. Utilize surveillance activities to identify subjects, their activities and their associates, corroborate source information and collect evidence.”

In keeping with its consistent pattern of paying its minions above market wages, annual salaries for the spies will range from $98,000 to $149,000. Surely, that's not too much to pay folks who will be putting their lives on the line 24/7/365 in situations where, if their cover's blown, an angry teller could stuff an exploding die pack down the front of their boxers or briefs.

The recruitment effort also makes clear that while working under enforcement lawyers, investigators would be assigned to “delicate matters, issues and investigative problems for which there are few, if any, established criteria.”

"Delicate matters." As delicate as ferreting out the exact percentage of Cherokee DNA in Liz Warren's personal genome? As delicate as building switchbacks up Joe Biden's backside to delicately remove his head? As delicate as Leonard Nemoy's task in his episode "In Search Of: Maxine Water's IQ"?

Perhaps not THAT delicate, but still...

And how are we, the average citizen, who might unknowingly befriend such a sleuth and find ourselves caught between our personal concupiscence and our tattered sense of right and wrong in a trap sprung on us by a mole who betrays our trust and, like a Pod Person, screams our guilt to a crowd of brain-eating CFPB zombies, to be assured that we won't be "entrapped" or otherwise have our rights abused by these agents of the KGB CFPB? The CFPB responds soothingly: "Trust Us."

“Investigative work conducted by our staff will be covered by Consumer Financial Protection Bureau policies to ensure all practices comply with applicable laws and regulations and protect individuals’ privacy rights,” said bureau spokeswoman Moira Vahey.

Yes, you heard her correctly: she's saying "No worries, mate! We'll police ourselves."

One is reminded of Otter's famous line to Flounder in the movie "Animal House," after the frat brothers had wrecked Flounder's brother's Caddy: "You F***ed up! You trusted us!"

A similar plan at the Department of Health and Human Services was scrapped last year after some members of Congress complained that it amounted to spying. Health officials wanted to send “mystery shoppers” into doctors’ offices to gauge Medicaid and Medicare patients’ access to primary care physicians.

Thus, there's hope that in an election year, the CFPB's plan will generate enough publicly partisan sniping to at least delay the start of "Operation Recess Richie On The Down-low" until a new Congress can clip the wings (and tail, wings and beak) of the CFPB. Then again, the article notes that the FTC last year approved an operation that sent undercover adolescents into their local Game Stop or Best Buy sans adults to try to purchase "M"-rated video games, so there is precedent for this sort of high-level espionage operation.

Because this involves a left-wing operation by The Leviathan, the usual suspects who customarily scream publicly about any government interference in our lives (like spying on potentail al-Quaeda members or using the words "under God" in the Pledge of Allegiance) are not-so-strangely slient.

The American Civil Liberties Union (ACLU), which has criticized many federal government surveillance activities, declined to comment on the consumer bureau recruitment ad.

CFPB delenda est!

A Fig Leaf For Online Exposure

2012-04-10T21:32:00-05:00

Although I rarely do book reviews, I actually asked to review “Protecting Your Internet Identity: Are You Naked Online?” I know and admire one of the co-authors, Theresa Payton, the former (and first female) White House Chief Information Officer, and when I discovered she, and co-author Ted Claypoole, had written a practical book of advice for their “Moms, Grandmoms, Friends, and kids,” concerning how the privacy of their personal information is at risk and how to protect it, I requested an advance copy, and Theresa was kind enough to provide one.

Authors Theresa Payton and Ted Claypoole begin their book “Protecting Your Internet Identity: Are You Naked Online?” by making the assumption that most of us don’t wish to live our lives as Madonna does, where nothing that isn’t exposed to public glare has meaning. For most of the rest of us, I think it’s fair to assume that there exists much information that we believe is “none of your damn business.” That being the case, it’s imperative that each of us understands that the Internet poses serious risks of exposure and unauthorized use of our “private information,” and further understands how best to protect our privacy while using a medium that makes it difficult to counter the authors’ contention that “we are all entertainers and publishers now.”

Starting at the end, in the last chapter of the book the authors assure readers that their intent is not to scare but to inform, not to deter people from participating in online activity, but to give them the knowledge and the tools to do so safely, or at least as safely as can be done in a world where, to me, the crooks always seem to just one step ahead of the good guys. While the book is chock-full of real-life examples of bad things happening to good people on the internet, the goal is not merely to sensationalize but to teach valuable lessons about how to do things right. From well-known privacy disasters like the notorious Washingtonienne blog to privacy thieves preying on soldiers serving in war zones, the examples lead to lessons, and valuable lessons they are. While those of us who’ve spent considerable time in this area may think that the authors’ intent to inform their grandparents might make the book’s content too basic, I found its breadth and depth not only a useful synthesis of the subject matter, but I discovered nuggets of gold that I’d previously overlooked in the twenty years I’ve spent panning this stream.

Starting with a good basic overview of how you expose your own private information while participating on online activities, the authors also show you how others, from businesses, governments, friends, employers, co-workers, and those friendly social media forums like Facebook, extract, use, and sometimes expose your private information, and how crooks and plain old stalkers gain access to and use your private information to commit crimes. Again, the real-life examples are followed by lessons, and the authors frequently provide useful checklists that readers can use to protect their privacy in various settings, including an entire chapter that is essentially a thorough “self-assessment checklist” that allows an individual to determine all of the different ways he or she is revealing his or her personal information online. Many of those ways will engender “uh-oh” revelatory moments from many readers. They follow with a chapter that, while not exactly a twelve-step program for internet privacy dunces, sets out a useful program for “repairing the damage” caused by intentional or inadvertent “oversharing.”

The chapter on behavioral targeting touches on a sore point with me. Relatives and friends with whom I connect on Facebook are constantly bombarding me with inducements to participate in some activity that involves downloading software or otherwise permitting access to my information and/or activities in a way that will allow a third party marketing outfit to track my behavior online. I intend to encourage each of them to buy this book and read this chapter so that they’ll NEVER again bug me with such requests. Yes, I know, that's wishful thinking.

Discussions of identity theft and defamation offer practical advice in a form that avoids the bane of a lawyer’s existence: “legal mumbo jumbo.” Identity theft is discussed in terms of how to prevent it and what to do if you’re a victim of it. Once again, the authors offer checklists that should prove to be valuable resources to non-lawyers and lawyers alike. The discussion of defamation gives a layperson useful guidance in an area of the law that, based upon some of the email I receive, is woefully misunderstood by even highly educated people.

The authors devote two very readable chapters on what amounts to “branding” and marketing yourself online. While that might sound as if it's a bit off topic, it actually presents a nice change of pace from the previous chapters’ focus on the bad things that can happen to good people online. Assuming you’ve been paying attention to the initial chapters of the book and “play wisely,” the authors offer useful advice on how to enhance, rather than merely protect, your “online persona.”

If the authors are correct in their contention that “we’re all entertainers and publishers now,” this book will be a valuable, practical resource for all of us soft-shoe hoofers who dance through cyberspace and want to do it safely.

The Unpopularity of Sunlight Among Vampires

2012-03-04T21:36:00-06:00

I took some heat--some of it good natured and some of it not--from those corners of the universe where criticism of bureaucratic failings is accorded the same respect as Torquemada accorded the average heretic, about my recent expressions of amusement regarding the fears of federal bank regulators that their deliberations regarding the take down of United Western Bank in Denver might see the light of day. My critics were fond of pointing to the admonitions of federal appellate courts that such deliberations need secrecy because otherwise bureaucrats wouldn't speak to one another. And that result would be a problem?

As someone who spends his professional life conducting privileged conversations, I understand that a certain amount of back-and-forth between regulators ought to be accorded confidentiality. I especially understand that need when the subject is sports or sex. However, when the content of the conversations is the very basis of a decision to close down a bank, wipe out the owners (and likely many unsecured creditors other than insured depositors), and, in most cases, throw a number of people out of work, I think the need for secrecy is outweighed by the rights of those legitimately challenging the regulator's decision. To continue to fight tooth-and-nail to prevent release of such deliberations smacks of the well-founded nervousness of someone with something to hide.

On a broader plain, I think secrecy within bureaucracies is dangerous. In his short work "All Things Considered," that brilliant apostle of common sense, G.K. Chesterton, put the case much better than I could ever hope to.

Society is becoming a secret society. The modern tyrant is evil because of his elusiveness. He is more nameless than his slave. He is not more of a bully than the tyrants of the past; but he is more of a coward...The elaborate machinery which was once used to make men responsible is now used solely in order to shift the responsibility. People talk about the pride of tyrants; but we in this age are not suffering from the pride of tyrants. We are suffering from the shyness of tyrants; from the shrinking modesty of tyrants. Therefore we must not encourage leader-writers to be shy; we must not inflame their already exaggerated modesty. Rather we must attempt to lure them to be vain and ostentatious; so that through ostentation they may at last find their way to honesty.

Chesterton published that book in 1908. He'd expressed the hope that the dangers he discussed would be fleeting ones, and that "if all goes well this book will be unintelligible gibberish" to future generations. I don't things have gone that well because his observations seem more intelligible and applicable today than they might have been over a century ago.

My default position is that transparency trumps secrecy, especially where we're talking about a challenge to governmental action that has serious consequences and for which the legal remedies available to the "injured" are limited. Apparently, that position makes me an unpopular person in some quarters. I can live with that.

One Woman's James Bond Is Another Woman's Trojan Horse

2011-08-01T21:58:00-05:00

In what might have seemed like a good idea after she downed her third scotch-and-soda, Tanya Blackwell, a foreclosure defense attorney, got a job at GMAC’s Ally Financial and, according to allegations by Ally, proceeded to grab all the confidential information of Ally’s she could lay her hands on and shoot it out the door to third parties, presumably to aid the employee’s law firm and others in fighting residential loan foreclosures commenced by Ally against delinquent borrowers. Those activities not only got her fired, they got her sued. Last Friday afternoon, Ally and the defendant stipulated to a preliminary injunction pursuant to which “Blackwell is forbidden from ‘using, disclosing, disseminating or transmitting’ any of Ally’s proprietary information or destroying any information that would apply to this case,” and “she must also within 48 hours return any proprietary information to Ally and give her former employer all of her email passwords for accounts that contain information related to Ally.”

I may be wrong, but I don’t think this will turn out well for Ms. Blackwell. Her sanctions may not end with an adverse judgment or settlement in the civil litigation filed by Ally. I wouldn’t be surprised to see further repercussions.

As for Ally Financial, I guess it doesn’t use a social media review procedure as part of its pre-hiring due diligence process. I understand that some employment law attorneys have advised their clients not to review social media sites like Facebook, Twitter or MySpace for fear that the employer will uncover such impermissible information as race, age, or sex and be sued if it decides not to hire the prospective employee. I respectfully disagree with that approach, and believe that those risks can be managed. In fact, I think the weightier argument is that the employer may be deemed negligent if it doesn’t review social media sites.

Look at the case of Ms. Blackwell and Ally. Ms. Blackwell’s Facebook page makes it very clear that she’s all about representing the borrower against the lender. Is that someone a mortgage lender would think is a perfect fit for its in-house legal staff?

There have been a number of articles recently that profile social media “scouring” and the third party vendors who provide this service. As one employment law attorney opines, you’re probably better off using a professional who can filter out the impermissible information and only pass along the squeaky clean stuff to you.

“It’s probably safer to work with a company to do the checks because that is what they are in the business of doing,” Potter said. “They understand the rules.”

Whether you hire a third party or "roll your own," to me, there’s more risk in not doing a social media check that there is in doing one.

2011: The Year of the Fish?

2011-01-18T21:30:00-06:00

According to The Fraud Blog's Tracy Kitten, bank security personnel are gearing up for a year in which they expect a lot more bad guys will "go phising" (and "vishing").

Like most fraud, phishing attacks are increasing in number and sophistication. Banks know these are a problem, but fighting back is becoming increasingly difficult.

[...]

About half of the respondents to our Faces of Fraud Survey say phishing and vishing are major concerns. Interestingly, only 20 percent say they feel prepped to fight and prevent those attacks against their customers and brands.

We've discussed "phishing" on this blog many times, as well as "vishing." Vishing is phishing using a telephone rather than e-mail. Like many phishing attacks (particularly "spear-phishing"), the fraudster callers use various guises to appear to be legitimate representatives of some business (even the intended victim's bank) who have a "need to know" your personal information. Apparently, they're successful often enough to keep them coming back for more.

Among the causes of concern, according to an ISACA survey cited by Ms. Kitten, is the increased use of mobile channels to access online banking. Another heightened risk is the increased use of social networks, where "phishers" love to troll. Using a mobile device to access a social network, then clicking all the links that catch your eye, is the equivalent of Lady Gaga wearing her meat dress on a stroll through the Lion enclosure of the Bronx Zoo. Yet, you can bet your bottom dollar that plenty of pinheads are doing just that, even as we speak.

The riskiest online behaviors: Clicking on an e-mail loop to access a shopping site, which 52 percent of ISACA survey respondents admit to doing; and mixing personal networking with business.

Fifty-two percent admit to using a work computer or smart phone to access social networking sites for personal use. "It is kind of the flip of using personal stuff for business and then using business stuff for personal -- clicking on links."

Here's more: Results from another recent survey, this one from the Anti-Phishing Working Group, reveal that 54 percent of household and business PCs are infected with some kind of malware, most likely from users clicking on links and accessing sites that make them vulnerable.

Tracy says that banks shouldn't blame it all on the consumer. For one thing, the ploys are becoming increasingly sophisticated, so much so that she almost fell for one herself. Moreover, the number of attacks has been increasing by leaps and bounds.

According to another study, this one released in October by Symantec, the number of phishing attacks launched on consumers has jumped from one or two a week in 2005 to more than 70 per day.

Educating consumers goes only so far, contends Ms. Kitten.She thinks financial institutions ought to be investing heavily in technology that doesn't "allow those phishy e-mails through in the first place."

From what security experts in the field tell me, technology exists that could virtually eliminate this kind of fraud. But banks and credit unions are not investing in the right solutions. They depend too much on anti-virus software, which is insufficient.

I'm interested in hearing what sort of technology solutions a bank would implement that would prevent a customer from receiving a phishing e-mail. I'm also interested in hearing what such technology might cost the average community bank. With all the Dodd-Frank costs and expenses that are being heaped on banks in the name of "reform," spending more money to protect customers from being victimized by they're own gullibility and risky behavior is a proposal that might not make it out of the starting gate at many institutions.

The Home Stretch

2010-12-01T21:34:00-06:00

Yesterday, WilmerHale put out one of those short client alerts that doesn't bore bankers with its excruciating in-depth analysis of some esoteric nuance of Dodd-Frank. Instead, it basically points out to bankers who've been living in caves or strung out on a drug of their choice that they've got one month to wake up and smell the deadlines. Three deadlines, to be precise.

First, December 31, 2010 is the red letter day when the FTC will FINALLY (and they mean it this time) start enforcing their Red Flags Rule. If you don't what a "red flag" is by know, pray to the deity of your choice, because you'll need his, her, or its help.

Second, January 1, 2011 marks the day that banks must use the model privacy notice form if they want to have the benefit of the GLBA "safe harbor." Again, if any banker doesn't know what I'm talking about, grab your closest bank regulatory lawyer and ask him about civil money penalties.

Finally, January 1, 2011 is also the day that the FRB/FTC joint rules governing the risk-based pricing notice mandated by the FACT Act will go into effect. The rules set forth what types of information the notices must contain and what alternative information or exceptions might apply.

These deadlines have been approaching for some time now, and you'd think every affected financial institution would have been prepared for them by this point, so that a Chinese fire drill could be avoided during a month when vast quantities of eggnog should be consumed and mistletoe should be hung at completely inappropriate places throughout the office. But as we saw four years ago when the multi-factor authentication "guidance" deadlines approached, then passed, with some bankers taking an "ignorance-is-bliss" or "What, me worry?" attitude toward the whole affair, I'm sure they'll be a few bankers who've patterned their professional careers after John Belusi's character in Animal House, and have spent the last several years smashing beer cans against their foreheads instead of worrying about these petty deadlines.

WilmerHale offers these slackers a helping hand.

If you have questions about compliance requirements for the FTC's Red Flags Rule, use of model privacy notices or compliance with GLBA privacy rules, or proper implementation of the FACT Act risk-based pricing rule, please do not hesitate to contact us.

Or wait, and then hire them later to defend you against regulatory enforcement actions. You can pay them now, or pay them later.

Fax Machines: A Source of Civil Money Penalties?

2010-09-27T21:46:00-05:00

Linda McGlasson at The Agency Insider blog had a smart post last week on the recent FDIC guidance on the information security risks of printers, copiers, and fax machines.

It's not about the copies that are made or printed or sent by these machines, (although they can be considered a breach threat too if they fall into the wrong hands) but rather the stored data that poses a problem.

Consider: If you're at an institution that has done any upgrade to its copiers and printers within the last five years, then your current machines most likely are housing the hidden threat underneath the plastic cover -- a hard drive that copies and keeps records of every single copy made on the copier.

Yes, a hard drive can hold a copy of every single copy and the drive continues to write until it is full, and then the new data writes over the old copies. If that hard drive leaves the institution or is accessed, this is a violation of privacy under GLBA. Try explaining how that data made it into the hands of someone who wasn't supposed to see it. Or how after a copier was sent back to the seller for servicing or because its lease was up, a data breach was traced back to your institution -- specifically to that machine.

Banks should have already addressed this issue as part of their information security program that is mandated by the Information Security Guidelines adopted by the FFIEC pursuant to the Gramm-Leach-Bliley Act. The hard drives of these machines should be treated in the same way (and protected and disposed of in the same way) as any other computer hard drive that sits on an employees desktop or is ported about in a laptop, netbook, I-pad, mobile phone, etc. The fact that the FDIC decided that it should issue specific guidance on the topic means that its examiners have discovered a potential "hole" in this respect at more than one bank.

Linda offers some common sense steps that banks should take to address and mitigate these risks:

change the passwords from the default on copiers and the multi-function printers.
turn off all the things you don't want and check that the data and fax modems are separate (so you won't run into the problem of having a modem linked in, looking at the records that only a select few are supposed to see in your institution).
add the manufacturer's security kit that encrypts information on the copier. The kit also shreds each copied document by overwriting the image after it's printed.
adopt a written policy on the handling of copies, faxes, printed material or stored data, including their secure disposal (if you don't already have one).
adopt a written policy on the handling and disposal if data on these machines' hard drives.

This is not only good business practice, but, as Linda also discusses, will protect both the institution ad its officers and directors from potential civil money penalties for violation of the requirements of the G-L-B Act.

You may think you've got bigger fish to fry than sweating this "small stuff," but a tiny bump can trip you up. Check your information security policies and make certain this "small stuff" is addressed, whether or not the FDIC is your primary federal regulator.

Surprisingly Unsurprising

2010-05-09T21:45:00-05:00

We've discussed (most recently here) incidents that demonstrate how expensive to banks data security breaches can be. Lawyer and law technology columnist Eric Sinrod cited a recent study conducted by The Ponemon Institute and co-sponsored by PGP Corporation that, says Eric, confirms what we've always suspected: "the cost of data breaches is substantial."

The average global total cost of each data breach in 2009 was $3.43 million, with an average cost of $142 per affected record. And here in the United States, the average total cost per breach was a staggering $6.75 million, with an average cost of $204 per affected record.

When I first read this, I wondered how much of the additional cost in the United States might be attributable to the fact that we're the most over-lawyered country on the planet; in fact, I'd suspect the most over-lawyered spot in the known universe. Apparently, however, it's not the fault of the lawyers but of the laws.

Perhaps not surprisingly, the costs were highest where data breach notification laws place requirements on organizations that experience a breach to disclose the details of breach incidents. Accordingly, the costs were the highest in the United States, where practically all states at this point have passed data breach legislation. And Germany, where similar laws were placed last year, experienced the second-highest costs.

Interestingly, but not surprisingly, a whopping percentage of losses relate to lost business to the company that suffers the data breach.

In a wake up call to companies, on average 44% of incurred data loss expenses related to lost business. When customers learn of data breaches, they evidently take their business elsewhere. This should encourage companies to do their very best in preventing and addressing breaches. With respect to the percentage of data loss expenses relating to lost business, the numbers come in like this: Australia 33%; France 30%; Germany 34%; the United Kingdom 46%; and the United States a whopping 66%.

I've become convinced that the major risk of data security breaches is reputational risk. The report seems to bear this out. A bank may have in place "commercial reasonable" information security measures that will pass muster with bank regulators as being in compliance with FFIEC information security guidelines and safety and soundness principles. A bank may also have limited its legal liability to its customers by means of its agreements with its customers. Nevertheless, all the well thought out, legally compliant procedures and written account documents in the world aren't going to save the bank from the ultimate hammer that any customer wields--taking its business elsewhere. That hammer blow can become even more painful if, as has occurred recently in Texas and elsewhere, local media picks up on a data breach that morphs into full-blown litigation and the customer alleges that not only doesn't the bank have adequate security measures, but when those measures fail, the bank refuses to make the customer whole.

Eric does offer one bright note from the report. Not surprisingly, that bright note involves hiring "skilled" legal counsel.

The report also demonstrates that when third-party and/or criminal attacks caused breaches, costs increased due to added forensics and investigations that were launched. The report further details that when there is a strong Chief Information Security Officer (CISO) who took active responsibility for managing a breach, costs were lower across the board in all five countries that were studied.

...It behooves organizations to get their data houses in order on the front-end, and when a breach happens notwithstanding best preventative efforts, the breach should be managed swiftly and effectively by a strong CISO with the assistance of legal counsel skilled in this area.

Gosh, I wonder which "skilled legal counsel" Eric has in mind? Since Eric doesn't state that the report suggested that the CISO be "assisted" by skilled legal counsel, we'll chalk that suggestion up to "literary license."