The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

Continue Reading  CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant

Businesses with automatic renewal contracts—including subscriptions—should take note of Colorado’s new law that went into effect earlier this year on January 1, 2022.  While companies subject to other state’s auto-renewal laws and the Restore Online Shoppers’ Confidence Act (“ROSCA”) will be familiar with the three-prong approach of upfront clear disclosure, simple cancellation, and ongoing reminders,

The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting

Since the beginning of the year, the SEC has issued several sets of proposed rules governing cybersecurity.  In an upcoming webinar, Ballard Privacy & Data Security partner Phil Yannella will join a panel discussion hosted by SEI Investments concerning the impact of these new rules on registered investment advisors and funds.  You can register

California continues to be at the vanguard of privacy protection.  On October 11, 2021 California’s Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:

  • AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out

On September 9, 2020, Washington Senator Reuven Carlyle, D-Seattle, announced via Twitter that the third version of the draft Washington Privacy Act 2021 (“WPA”) was available for public review and comment. The recently released version of the WPA is the latest attempt by the Washington legislature to pass a comprehensive privacy bill. An earlier 2020

The Office of Civil Rights of the U.S. Department of Health and Human Services has issued guidance clarifying how HIPAA’s Privacy Rule permits covered entities (in particular, health care providers and health plans) or their business associates to contact former COVID-19 patients about plasma donation to treat or potentially treat patients. The guidance follows the