Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Arizona governor amends data breach law, updates security freeze legislation

    Privacy, Cyber Risk & Data Security

    On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:

    • makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
    • adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
    • amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
    • clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”

    Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. 

    Both bills are scheduled to take effect 91 days after the end of the legislative session.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

    Share page with AddThis
  • FFIEC joint statement addresses role of cyber insurance in risk management programs

    Federal Issues

    On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.

    Federal Issues FFIEC Privacy/Cyber Risk & Data Security Cyber Insurance Risk Management

    Share page with AddThis
  • 9th Circuit amended opinion holds company not vicariously liable under TCPA

    Privacy, Cyber Risk & Data Security

    On April 4, the U.S. Court of Appeals for the 9th Circuit issued an amended opinion to further affirm a district court’s decision to grant summary judgment in favor of a defendant concerning allegations that it was vicariously liable for telemarketing activity in violation of the Telephone Consumer Protection Act (TCPA). The three-judge panel held that the defendant, who sells vehicle service contracts (VSCs) through automobile dealers and “marketing vendors,” was not vicariously liable under the TCPA for calls made by telemarketers employed by a company that sold VSCs for the defendant and multiple other companies. Last August, the three-judge panel determined that the company’s telemarketers acted as independent contractors, rather than as the defendant’s agents. In amending their opinion, the three-judge panel further determined that the telemarketers lacked actual authority (under express language contained within the parties’ contract) to place the unlawful calls, and that the defendant “exercised insufficient control over the manner and means of the work to establish vicarious liability under the asserted theory.”

    Privacy/Cyber Risk & Data Security Courts TCPA Appellate Ninth Circuit

    Share page with AddThis
  • State judge says Massachusetts can sue credit reporting agency over data breach

    Privacy, Cyber Risk & Data Security

    On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.

    Privacy/Cyber Risk & Data Security Courts State Attorney General State Issues Data Breach Credit Reporting Agency

    Share page with AddThis
  • States pass bills amending security freeze laws

    State Issues

    On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.

    On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.

    State Issues State Legislation Security Freeze Data Breach Privacy/Cyber Risk & Data Security Credit Reporting Agency

    Share page with AddThis
  • Alabama enacts data breach notification law

    Privacy, Cyber Risk & Data Security

    On March 28, the Alabama governor signed SB 318, The Alabama Data Breach Notification Act of 2018 (Act), which requires entities doing business in the state to (i) notify consumers within 45 days if their personal data has been compromised in a data breach; and (ii) notify the state Attorney General and consumer reporting agencies if more than 1,000 individuals have been impacted. The Act also states that third-party agents, entities that have been contracted to maintain, store, process, or otherwise access sensitive personally identifying information in connection with providing services to a covered entity, are required to notify the covered entity of a breach of security “no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” Additionally, the Act gives the state Attorney General authority to prosecute a failure to disclose a data breach as an unlawful act or practice under the Alabama Deceptive Trade Practices Act, which can result in daily penalties of up to $5,000 per violation. However, entities that follow the notice requirements of industry-specific state or federal laws or regulations are exempt from the Alabama legislation. The law is effective June 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach State Attorney General

    Share page with AddThis
  • OFAC sanctions Iranian nationals for malicious cyberattacks

    Financial Crimes

    On March 23, the Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the DOJ, imposed additional sanctions on an Iranian entity and 10 Iranian nationals, pursuant to Executive Order 13694, for conducting malicious cyberattacks against hundreds of U.S. and third-country universities for private financial gain. Nine of the identified individuals are connected to the Mabna Institute and are accused of misappropriating “economic resources or personal identifiers” to aid Iran’s Islamic Revolutionary Guard Corps. Pursuant to these sanctions, all property or interests in property of the designated persons within U.S. jurisdiction are blocked, and U.S. persons are “generally prohibited” from participating in transactions with these individuals and entities. Additionally, as reported in a DOJ press release, the nine Iranians have also been indicted for engaging in malicious cyber-enabled activities. A tenth Iranian national was sanctioned for engaging in cyber-related actions targeting a U.S. media company.

    Visit here for additional InfoBytes coverage on Iranian sanctions.

    Financial Crimes OFAC Sanctions International Department of Treasury Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • NYDFS updates cybersecurity regulation FAQs

    Privacy, Cyber Risk & Data Security

    On March 23, the New York Department of Financial Services (NYDFS) provided a second update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017 and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in InfoBytes, as was the last update in February. The new update to the FAQs adds the following guidance:

    • An individual filing a Certificate of Compliance for his or her own individual license with no Board of Directors is acting as a Senior Officer as defined by 23 NYCRR 500 and should complete the filing process in that manner; and
    • Entity ID is defined as an entity’s state-issued unique license or charter number. Specific information is provided for insurance companies and mortgage loan originators in the FAQs.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Compliance

    Share page with AddThis
  • Multiple states update security freeze legislation

    State Issues

    On March 23, the Governor of Tennessee signed HB 1486, which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already prohibited charging a fee for a security freeze if the consumer is a victim of identity theft and presents a copy of a police report (or other official documentation) to the credit reporting agency at the time of the request. Under Section 47-18-2108 of the Tennessee Code Annotated, the state still allows charging a fee of up to seven dollars and fifty cents for all other placements of a security freeze and up to five dollars to permanently remove a security freeze. HB 1486 is effective immediately.

    On March 20, the Governor of Idaho signed SB 1265, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the first placement of a security freeze and for the first temporary lift of a security freeze during a twelve-month period. The law allows for a fee of up to six dollars for the second placement or temporary lift within a twelve-month period. SB 1265 still allows for a fee of up to $10.00 for the reissuance of a personal identification number or password. The legislation is effective July 1.

    State Issues Security Freeze Credit Reporting Agency Data Breach State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Coalition of state Attorneys General urges Congress to oppose data breach bill

    Privacy, Cyber Risk & Data Security

    On March 19, the Illinois Attorney General, along with 30 other state Attorneys General and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to selected members of Congress opposing the Data Acquisition and Technology Accountability and Security Act (the DATAS Act), which would establish broad standards for data protection across industries and create federal notification requirements for covered entities after certain types of data breaches. (See previous InfoBytes coverage here.) According to the Illinois Attorney General’s letter, the DATAS Act would preempt state data breach and data security laws. The letter also stated that “States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.” Serious potential concerns arising from the DATAS Act raised in the letter include (i) reduced transparency to consumers; (ii) delayed notification to consumers affected by data breaches; and (iii) an overly narrow focus on large-scale data breaches “affecting 5,000 or more consumers” which “prevent[s] attorneys general from learning of or addressing breaches that happen on a smaller national scale.”

    Privacy/Cyber Risk & Data Security State Issues State Attorney General Data Breach Security Freeze

    Share page with AddThis