Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs

    State Issues

    On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.

    In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:

    • Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
    • Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
    • Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
    • Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.

    Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.

    State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

    Share page with AddThis
  • CFPB amends Regulation P, provides exemptions for annual privacy notice requirement

    Agency Rule-Making & Guidance

    On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.

    The amendments to Regulation P will take effect 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance CFPB Regulation P Gramm-Leach-Bliley Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC seeks comments on possible adjustments to privacy and data security rulemaking authority

    Privacy, Cyber Risk & Data Security

    On August 6, the FTC published a request for comments in the Federal Register—in advance of a series of 15 to 20 public hearings scheduled to start this September—on whether the agency should make adjustments to competition and consumer protection law, enforcement priorities, and policy in light of evolving technologies and market developments. The hearings will cover a range of consumer-related issues, including the agency’s “remedial authority to deter unfair and deceptive conduct in privacy and data security matters” and the “interpretation and harmonization of state and federal statutes and regulations that prohibit [such conduct].” According to testimony presented by FTC Chairman Joseph Simons at a July 18 House Subcommittee on Digital Commerce and Consumer Protection hearing, there exists a need for expanded rulemaking and civil penalty authority. Specifically, Simons discussed Section 5 of the FTC Act, which he stated is too limited to address all of the privacy and security concerns in the marketplace and does not provide for civil penalties. Comments on the hearing topics must be received by August 20.

    Privacy/Cyber Risk & Data Security FTC Federal Register FTC Act

    Share page with AddThis
  • Conference of State Bank Supervisors supports legislation to coordinate federal and state examinations of third-party service providers

    State Issues

    On July 12, the Conference of State Bank Supervisors (CSBS) issued a statement to the Senate Banking Committee, offering support for legislation that would “enhance state and federal regulators’ ability to coordinate examinations of, and share information on, banks’ [third-party technology service providers (TSPs)] in an effective and efficient manner.” H.R. 3626, the Bank Service Company Examination Coordination Act, introduced by Representative Roger Williams, R-Texas, would amend the Bank Service Company Act to provide examination improvements for states by requiring federal banking agencies to (i) consult with the state banking agency in a reasonable and timely fashion, and (ii) take measures to avoid duplicating examination activities, reporting requirements, and requests for information. Currently, 38 states have the authority to examine TSPs, however, according to CSBS, amending the Bank Service Company Act would more appropriately define a state banking agency’s authority and role when it comes to examining potential risks associated with TSP partnerships. In its statement, CSBS also references a recent action taken by eight state regulators against a major credit reporting agency following its 2017 data breach that requires, among other things, a wide range of corrective actions, including improving oversight and ensuring sufficient controls are developed for critical vendors. (See previous InfoBytes coverage here.) The House Financial Services Committee advanced H.R. 3626 on June 24 on a unanimous vote.

    State Issues State Regulators CSBS Federal Legislation Third-Party Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC announces settlement with California company over EU-U.S. Privacy Shield false certification claims

    Privacy, Cyber Risk & Data Security

    On July 2, the FTC announced it had reached a settlement with a California-based company over allegations that it falsely claimed participation in the European Union-U.S. Privacy Shield framework, EU-U.S. Privacy Shield. According to the FTC, the company’s false claim that it was in the process of certification is a violation of the FTC Act’s prohibition against deceptive acts or practices. The settlement prohibits the company from misrepresenting its participation in “any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization” and requires the submission of timely compliance notices. This action marks the fourth FTC EU-U.S. Privacy Shield enforcement action following the EU’s finalization and adoption in July 2016 (see previous InfoBytes coverage here) of the EU-U.S. Privacy Shield, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.

    Privacy/Cyber Risk & Data Security FTC Enforcement Settlement

    Share page with AddThis
  • Buckley Sandler Special Alert: California governor signs significant data privacy bill into law

    Privacy, Cyber Risk & Data Security

    On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of signatures to appear on the November 2018 ballot in the state. Both the Act and the Ballot Initiative were a reaction to high-profile news stories involving large-scale consumer data collection and sharing by online companies, often done without notice to or consent from consumers.

    The Ballot Initiative, driven and funded by a coalition of privacy advocates, proposed both expanding consumer privacy rights under existing state laws such as the California Online Privacy Protection Act and the “Shine the Light” law, and giving new consumer rights with regard to information sharing. The Ballot Initiative, which was withdrawn in response to the enactment of the Act, would have provided state residents with increased rights regarding the types of information online companies possess about them, the purposes for which the information is used, and the entities with which the information is shared. Consumers would also have been given the right to stop certain sharing of their personal information. Critics asserted that the Ballot Initiative was poorly crafted and would stifle innovation in data services. Last minute revisions to the language of the Act, which generally follows the requirements of the Ballot Initiative, sought to address some of these concerns and several industry groups that had opposed the Ballot Initiative did not lobby against the quick passage of the Act.

     

    * * *

    Click here to read the full special alert.

    If you have questions about the act or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues Special Alerts

    Share page with AddThis
  • Credit reporting agency agrees to cybersecurity corrective action with eight state regulators

    Privacy, Cyber Risk & Data Security

    On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.

    The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues Data Breach NYDFS

    Share page with AddThis
  • New York regulation requires all credit reporting agencies to register with NYDFS

    State Issues

    On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)

    According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”

    State Issues NYDFS Credit Reporting Agency Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Rhode Island and New Hampshire prohibit security freeze fees

    Privacy, Cyber Risk & Data Security

    On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.

    Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.

    Privacy/Cyber Risk & Data Security Security Freeze State Issues State Legislation Credit Reporting Agency

    Share page with AddThis
  • 8th Circuit affirms $17 million class settlement for retailer data breach

    Courts

    On June 13, the U.S. Court of Appeals for the 8th Circuit affirmed the district court’s ruling approving a $17 million class settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The settlement, which consists of $10 million in consumer redress and almost $7 million in plaintiffs’ attorney fees, was preliminarily approved in 2015 by the district court (previously covered by InfoBytes here) but was remanded back to the court by the 8th Circuit for failing to conduct the appropriate pre-certification analysis. After the district court recertified the class, two settlement challengers appealed, arguing that the class was not properly certified as there were not separate counsel for the subclasses and that the court erred in approving the settlement because the award of attorney’s fees was not reasonable. The appellate court disagreed, holding that no fundamental conflict of interest required separate representation for named class members and class members who suffered no actual losses. The court also concluded that the 29 percent in total monetary payment to the plaintiffs’ attorneys was “well within the amounts [the court] has deemed reasonable in the past” and therefore, the district court did not error in its discretion.

     

    Courts Appellate Eighth Circuit Class Action Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis

Pages