Photo of Moorari Shah

Moorari Shah is a partner in the Finance and Bankruptcy Practice Group in the firm's Los Angeles and San Francisco offices.

The FTC recently amended the Safeguards Rule to make non-banking institutions such as mortgage brokers, motor vehicle dealers, and payday lenders notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. The FTC plans to provide an online form that will be used to report certain information, including the type of information involved in the security event and the number of consumers affected or potentially affected. The FTC’s Safeguards Rule also requires non-banks to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.Continue Reading Impact of FTC Safeguard Rules Amendment on Breach Notification Timing

On April 4, CFPB Director Rohit Chopra delivered remarks at the International Association of Privacy Professionals’ Global Policy Summit on the importance of reigning in repeat violators of consumer finance and privacy laws. According to the Director, the CFPB is to enhance penalties against repeat offenders of consumer protection laws. Such penalties could involve a broader range of agency remedies, including naming executives in enforcement actions and placing meaningful limitations on future business practices, in addition to simple fines.Continue Reading CFPB Director Elevates Priorities for Data Privacy & Repeat Offenders

Recently, the CFPB released an outline of proposed measures related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts that would allow consumers to take control of their personal financial data and determine which third parties could have access to such data. The CFPB is seeking comments on the rulemaking, by January 25, 2023.Continue Reading CFPB Starts Year Seeking Comments on Proposals to Give Consumers Enhanced Control of Financial Data

On October 18, the CFPB sued a software company for utilizing their online payment platform to enroll unknowing consumers into annual subscriptions through deceptive acts and “dark pattern” techniques in violation of the CFPA and EFTA. Among other things, the complaint alleges that the company encouraged consumers to unknowingly enroll in free trials and converted the free trials into annual subscriptions through a “negative option” renewal policy (our sister blog covered “negative option” marketing in a previous post here). During this process, the company allegedly collected consumers’ registration information and consumer payments data (e.g., credit or debit card number) so that it could transmit the consumer payments data through its payments systems. Continue Reading CFPB Sues Payment Platform Over Dark Patterns

The CFPB recently published a circular clarifying liability under consumer financial protection law for financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. According to the CFPB. in the event of large scale, customer-base-wide breaches, consumers may become victims of targeted identify theft.Continue Reading CFPB: Safeguard Consumer Data or Face Liability

Last month, the CFPB utilized its market monitoring authority to issue a series of orders to five companies offering “buy now, pay later” credit.  Buy now, pay later, or BNPL, is a deferred payment option that allows consumers to split a purchase into smaller installments, typically four or less, often with a down payment of 25 percent due at checkout.
Continue Reading CFPB’s Latest Orders Place Data Practices Front and Center for 2022

The FTC recently announced a final rule updating its GLBA Safeguards Rule to “strengthen the data security safeguards” of consumer financial information. The FTC reported that it was making these changes in response to widespread data breaches and cyberattacks.  As we reported in our sister blog, the changes will mean that a broad range of non-banking financial institutions may need to make updates to their data security policies and procedures. The new requirements go into effect in November 2022.
Continue Reading Non-Banking Institutions Will Want to Review Security Measures in Light of Update to Safeguards Rule