Privacy and Cybersecurity

The FTC recently published an advance notice of proposed rulemaking to discuss harms associated with the collection, processing, and selling of personal data. The FTC is inviting public comments on whether it should implement new rules on how companies:

Continue Reading FTC Signals Focus on Increasing Protections Around Personal Data

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that would impose new obligations on financial institutions on reporting, governance, testing, access management, risk assessment, business continuity plans, among others.

Continue Reading New York Proposes Cybersecurity Rules for Financial Institutions

On August 11, the CFPB published a circular clarifying liability under consumer financial protection law for bank and nonbank financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. These data security incidents may lead to significant harm to a few consumers—who, for example, become victims of targeted identify theft after a breach—or may lead to harm of many consumers in the event of large scale, customer-base-wide breaches. The circular includes specific examples for reference.

Continue Reading CFPB Circular: Safeguard Consumer Data or Face Liability

Recently, the Federal Reserve Board (Fed) published its annual Cybersecurity and Financial System Resilience report describing measures it has taken to strengthen cybersecurity in the financial services sector, including the supervision and regulation of financial institutions and third-party service providers.

Continue Reading Fed Reports on Cybersecurity and Financial System Resilience

A few months ago, we published a post about the OCC, FDIC, and Federal Reserve Board’s final rule to improve information sharing about cyber incidents that may affect the U.S. banking system. Under the final rule, banks and their service providers must notify their primary federal regulators within 36 hours after a notification incident has occurred. In the latest update from the regulators, they remind banks that starting May 1, banks must notify their primary federal regulators about computer-security incidents. Below is the contact information and the process for contacting each regulator:

Continue Reading May 1st is Around the Corner: Bank Computer-Security Incident Notification Requirements

On January 7, the FTC announced that a California-based lead generator agreed to settle with the FTC for $1.5 million to resolve allegations that through a number of its subsidiaries, the company induced consumers into sharing their personal financial information and then sold that information from these loan applications as “leads” to a variety of entities without regard to whether these entities are lenders or use the consumers’ data to make loans.

Continue Reading Lead Generator Settles with FTC Over Alleged FCRA and FTC Act Violations

Last month, the FDIC, Federal Reserve Board, and the OCC announced a final rule to improve information sharing about cyber incidents that may affect the U.S. banking system.  Among other things, the final rule requires banking organizations to inform their primary federal regulator no later than 36 hours after a determination that a “computer-security incident” has reached the level of a “notification incident.”  The final rule notes that notification is required for incidents that have affected, in certain circumstances:

Continue Reading Federal Bank Regulators Approve New Cybersecurity Incident Notification Rule

On September 21, 2021, the FinTech task force of the U.S. House Committee on Financial Services held a hearing on consumer privacy. The hearing was live-streamed and the archived webcast is available on the Committee website.

Continue Reading More Regulatory Clarity on the Horizon for FinTech

On July 12, the CFPB issued a consent order against a FinTech company for facilitating point of sale financing activities without authorization from consumers.  The consent order requires the company to pay up to approximately $9 million in redress to impacted consumers and a $2.5 million civil money penalty.

Continue Reading CFPB Takes Action Against FinTech Company for Originating Unauthorized Loans