Photo of Kim Phan

Kim Phan

Subscribe to Kim Phan's Posts

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Follow:Read more about Kim PhanKim's Linkedin Profile

On October 28, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a new interpretive rule replacing its 2022 interpretive rule (withdrawn in May 2025) concerning the scope of preemption under the Fair Credit Reporting Act (FCRA). This new interpretive rule clarifies that the FCRA broadly preempts state laws related to consumer reporting, reinforcing Congress’s intent to establish national standards when information is used to determine a consumer’s eligibility for credit, insurance, employment and the like. This move replaces the previous rule, which was criticized for its potential to create regulatory confusion.

Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.

In this crossover episode of Payments Pros and The Consumer Finance Podcast, Carlin McCrory is joined by colleague Kim Phan to discuss the Consumer Financial Protection Bureau’s (CFPB) recent developments regarding Section 1033 of the Consumer Financial Protection Act (CFPA). This summer, the CFPB initiated a new rulemaking process, inviting industry comments on its final rule concerning personal financial data rights. With a deadline of October 21 for public comments, industry participants are encouraged to weigh in on access to consumer financial information.

In this episode of Payments Pros, Carlin McCrory is joined by colleague Kim Phan to discuss the Consumer Financial Protection Bureau’s (CFPB) recent developments regarding Section 1033 of the Consumer Financial Protection Act (CFPA). This summer, the CFPB initiated a new rulemaking process, inviting industry comments on its final rule concerning personal financial data rights. With a deadline of October 21 for public comments, industry participants are encouraged to weigh in on access to consumer financial information.

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.

On September 5, President Trump signed into law the Homebuyers Privacy Protection Act (HPPA) (H.R. 2808). This bipartisan legislation, sponsored by Representatives John Rose (R-TN) and Ritchie Torres (D-NY), aims to safeguard homebuyers’ personal financial information.

On August 21, the Consumer Financial Protection Bureau (CFPB or Bureau) took a significant step forward in its reconsideration of the Section 1033 open banking final rule, originally issued in November 2024, by issuing an Advance Notice of Proposed Rulemaking (ANPR). This move follows the Bureau’s announcement that it would be reopening the rulemaking process when it requested a stay to the original rule amidst legal challenges.

In a significant turn of events, the Consumer Financial Protection Bureau (CFPB or Bureau) has decided to initiate a new rulemaking process concerning its final rule on personal financial data rights under Section 1033 of the Consumer Financial Protection Act of 2010 (1033 rule). This decision comes amidst ongoing legal challenges, notably from Forcht Bank, N.A.; Kentucky Bankers Association; and the Bank Policy Institute, which filed a lawsuit immediately after the 1033 rule was finalized challenging it.

In this episode of Moving the Metal: The Auto Finance Podcast, hosts Brooke Conkle and Chris Capurso are joined by colleagues Kim Phan and Aileen Ng for a deep dive into the Federal Trade Commission’s (FTC) Safeguards Rule under the Gramm-Leach-Bliley Act, focusing on its impact on the auto-finance industry. The discussion covers the recent FAQs published by the FTC to aid auto dealers in compliance, the evolving cybersecurity requirements, and the contrasting regulatory approaches between the Trump and Biden administrations. The episode explores how auto dealers fit into the Safeguards Rule, the implications of their relationships with original equipment manufacturers and service providers, and the notification requirements in the event of a data breach. Additionally, the conversation addresses various financing scenarios and how they trigger the Safeguards Rule. Tune in for a comprehensive understanding of these regulations and practical insights for auto dealers navigating these complex legal landscapes.

In this special crossover episode between FCRA Focus and The Consumer Finance Podcast, Kim Phan, Dave Gettings, Chris Willis, and Cindy Hanson explore the recent withdrawal of Consumer Financial Protection Bureau (CFPB) guidance affecting the Fair Credit Reporting Act (FCRA). This episode provides a comprehensive analysis of how these changes impact key areas such as preemption, background screening, permissible purpose, artificial intelligence, and state attorneys general enforcement actions. The discussion highlights the implications for consumer reporting agencies, furnishers, end-users, and the broader regulatory landscape, offering valuable insights for professionals navigating these evolving challenges. Tune in to understand the potential shifts in compliance and enforcement.