Photo of Kim Phan

Kim Phan

Subscribe to Kim Phan's Posts

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Follow:Read more about Kim PhanKim's Linkedin Profile

In this episode of FCRA Focus, hosts Kim Phan and Dave Gettings are joined by colleague Tim St. George to unpack major legislative developments impacting employment background screening. They discuss New York’s new statewide ban on the use of consumer credit history in most hiring and employment decisions, Virginia’s upcoming requirements for background screening businesses, and emerging federal proposals that could reshape FCRA liability, reseller obligations, and the reporting of criminal and credit information. The conversation highlights notable litigation trends, preemption and First Amendment issues, and practical steps for employers, CRAs, and resellers navigating rapidly evolving state and federal requirements.

In this episode of The Consumer Finance Podcast, Chris Willis and Kim Phan unpack Colorado’s brand-new Automated Decision-Making Technology (ADMT) Act, which repeals and replaces the state’s much-criticized 2024 AI law. They explain the shift from “high-risk AI systems” to the broader ADMT framework, what it means for consequential decisions in lending and financial services, and how the statute’s “material influence” standard can sweep in tools that do far more than make final credit determinations.

On May 12, the Colorado legislature passed Senate Bill 26‑189, a substantial rewrite of its 2024 law establishing consumer protections for artificial intelligence (formerly referred to as the CO AI Act), and replaced it with a more targeted framework for “automated decision‑making technology” (ADMT). The changes will take effect on January 1, 2027.

The U.S. Department of Justice (DOJ) has issued an interim final rule extending the compliance dates for its 2024 Americans with Disabilities Act (ADA) Title II website and mobile application accessibility regulations for state and local governments. This development is noteworthy for anyone watching the long‑running debate over web accessibility standards, as well as the potential implication of this rulemaking for a future DOJ proposed rule governing public accommodations under Title III of the ADA.

A new discussion draft from Representative Bill Huizenga (R-MI) would significantly update Title V of the Gramm‑Leach‑Bliley Act (GLBA) to reflect how financial data is collected, shared, and monetized in today’s market. Released in connection with the March 17, 2026 House Financial Services Committee (Committee) hearing, “Updating America’s Financial Privacy Framework for the 21st Century,” the draft purports to give consumers greater control over their financial data, impose new limits on financial institutions and data aggregators, and create a more uniform national privacy regime for consumer financial information.

In this episode of FCRA Focus, host Kim Phan is joined by Michael Yaghi, partner in Troutman Pepper Locke’s Regulatory Investigations, Strategy + Enforcement practice group, to unpack the California Department of Financial Protection and Innovation’s (DFPI) latest effort to require registration for the credit reporting industry. They discuss DFPI’s second request for comment, how it fits into California’s broader push to regulate nonbank financial services, and which entities may be swept in beyond the “big three” consumer reporting agencies — such as furnishers, data brokers, specialty credit reporting agencies, resellers, and fintechs. Kim and Michael also explore how narrowly (or broadly) the rules might be drawn, potential overlap and tension with existing FCRA requirements, what registration and reporting could mean in practice for covered entities, and what companies should be doing now as the February 26 comment deadline approaches.

In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.

In 2025, the U.S. digital asset landscape evolved more dramatically than in any year since the industry’s inception. A pro‑innovation White House, an active Congress, and key regulators — including the U.S. Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Office of the Comptroller of the Currency (OCC), the Department of

On January 12, the California Department of Financial Protection and Innovation (DFPI) issued a second invitation for comments on potential regulations under the California Consumer Financial Protection Law (CCFPL) that would require registration and reporting by firms engaged in consumer reporting and related data activities. Comments are due by February 26.

On December 22, the National Credit Union Administration (NCUA) updated its Artificial Intelligence (AI) resource page to consolidate key technical and policy references for federally insured credit unions. The page sits within NCUA’s broader cybersecurity and financial technology resources and is explicitly framed as support for evaluating and performing due diligence on third‑party AI vendors. It links AI oversight back to existing NCUA guidance on third‑party relationships, including 07‑CU‑13 (Evaluating Third Party Relationships) and 01‑CU‑20 (Due Diligence Over Third Party Service Providers).