The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

Continue Reading  CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act

The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting

On February 3, the Illinois Supreme Court unanimously ruled in McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, that the exclusivity provisions of the Illinois Workers’ Compensation Act (WCA) do not preempt employees’ claims for statutory damages under the Illinois Biometric Information Privacy Act (BIPA).  The decision provides clarity for a number

On October 27, the Federal Trade Commission (FTC) announced a final rule (Final Rule) and supplemental notice of proposed rulemaking (NPRM) to amend the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act (GLBA), which requires covered financial institutions to implement certain security safeguards to protect their customers’ financial information against data breaches and cyberattacks. The FTC also issued another rule adopting largely technical revisions to the scope of its Privacy Rule, a separate GLBA rule that requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.
Continue Reading  FTC Strengthens GLBA Financial Safeguards and Privacy Rules

On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources.
Continue Reading  FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices

With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a press conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information.
Continue Reading  California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out

On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which was enacted in January 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.

Continue Reading  New York City’s Biometric Identifier Information Law Takes Effect

On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here).
Continue Reading  The European Commission’s Adoption of New SCCs