On February 20, the SEC announced the creation of its Cyber and Emerging Technologies Unit (CETU) to address misconduct involving new technologies and strengthen protections for retail investors. The CETU replaces the SEC’s former Crypto Assets and Cyber Unit and will be led by SEC enforcement veteran Laura D’Allaird.Continue Reading SEC Creates New Tech-Focused Enforcement Team
The FTC recently amended the Safeguards Rule to make non-banking institutions such as mortgage brokers, motor vehicle dealers, and payday lenders notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. The FTC plans to provide an online form that will be used to report certain information, including the type of information involved in the security event and the number of consumers affected or potentially affected. The FTC’s Safeguards Rule also requires non-banks to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.Continue Reading Impact of FTC Safeguard Rules Amendment on Breach Notification Timing
On April 4, CFPB Director Rohit Chopra delivered remarks at the International Association of Privacy Professionals’ Global Policy Summit on the importance of reigning in repeat violators of consumer finance and privacy laws. According to the Director, the CFPB is to enhance penalties against repeat offenders of consumer protection laws. Such penalties could involve a broader range of agency remedies, including naming executives in enforcement actions and placing meaningful limitations on future business practices, in addition to simple fines.Continue Reading CFPB Director Elevates Priorities for Data Privacy & Repeat Offenders
Recently, the CFPB released an outline of proposed measures related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts that would allow consumers to take control of their personal financial data and determine which third parties could have access to such data. The CFPB is seeking comments on the rulemaking, by January 25, 2023.Continue Reading CFPB Starts Year Seeking Comments on Proposals to Give Consumers Enhanced Control of Financial Data
On October 18, the CFPB sued a software company for utilizing their online payment platform to enroll unknowing consumers into annual subscriptions through deceptive acts and “dark pattern” techniques in violation of the CFPA and EFTA. Among other things, the complaint alleges that the company encouraged consumers to unknowingly enroll in free trials and converted the free trials into annual subscriptions through a “negative option” renewal policy (our sister blog covered “negative option” marketing in a previous post here). During this process, the company allegedly collected consumers’ registration information and consumer payments data (e.g., credit or debit card number) so that it could transmit the consumer payments data through its payments systems. Continue Reading CFPB Sues Payment Platform Over Dark Patterns
The CFPB recently published a circular clarifying liability under consumer financial protection law for financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. According to the CFPB. in the event of large scale, customer-base-wide breaches, consumers may become victims of targeted identify theft.Continue Reading CFPB: Safeguard Consumer Data or Face Liability
On June 13, US and UK governments announced that they are developing prize challenges focused on advancing the maturity of privacy-enhancing technologies (PETs) to combat financial crime. The announcements highlight that up to $2 trillion of cross-border money laundering takes place each year. The White House explained that PETs could address financial crime through maturing technologies, which allows machine learning models to be trained on high quality datasets, without the data leaving safe environments. PETs also facilitate privacy-preserving financial information sharing and collaborative analytics; allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of data between institutions or across borders.Continue Reading US, UK Collaborate on Prize Challenges for Privacy-Enhancing Technologies
On June 7, Sen. Sherrod Brown (D-OH), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to Treasury Secretary Janet Yellen to request a review by the Financial Stability Oversight Council of financial institutions’ consumer data activities and their potential threat to U.S. financial stability and security. The letter raised concerns that this information may be sold to third-party purchasers or data brokers who compile it with personal data collected from other sources often associated with advertising and exploited for other uses. The Committee also raised concerns that such data could be used for nefarious purposes including “glean[ing] consumers’ tolerance for price hikes, or using certain people’s spending patterns to target them for blackmail or ransomware.” Continue Reading Senate Banking Committee Sends Letter to Yellen on Collection, Use of Consumer Data
In April, Kentucky (HB 474) and Maryland (SB 207) adopted insurance data security legislation based on the National Association of Insurance Commissioners (NAIC) model law.
Continue Reading Kentucky and Maryland Enact Insurance Data Security Laws
The May 1 change to banks’ cyber-notification process is fast approaching. As we wrote previously the OCC, FDIC, and Federal Reserve Board implemented a final rule under which banks and their service providers must notify their primary federal regulators within 36 hours of certain incidents. A notification incident that triggers this requirement is defined as a computer security incident that materially disrupts a banking organization’s operations or lines of business. Thus not all incidents will meet these levels. For those that do, banks will need to be prepared. Part of that is having the right points of contact, which include:
Continue Reading On the Clock: Cyber Incidents Notification Deadline Approaching for Banks
In light of Russia’s recent military actions in Ukraine, the New York Department of Financial Services issued guidance on its cybersecurity and virtual currency regulations. The Department is specifically concerned about heightened risk for Russia’s cyberattacks against Ukraine, which could in turn lead to retaliatory attacks against U.S. critical infrastructure due to U.S. sanctions against Russia.
Continue Reading NYDFS Issues Cybersecurity Guidance in Response to Events in Ukraine