Photo of Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

In a case of first impression, the U.S. Court of Appeals for the Ninth Circuit was tasked with determining whether the alleged extracting and retaining of consumer data and tracking of customers using an online payment platform exposes defendants to personal jurisdiction in the state where an online purchase was made. The court concluded it does not. “When a company operates a nationally available e-commerce payment platform and is indifferent to the location of end-users, the extraction and retention of consumer data, without more, does not subject the defendant to specific jurisdiction in the forum where the online purchase was made.”

Join Troutman Pepper Partner Chris Willis as he discusses the New York Department of Financial Services’ (NYDFS) latest updates to its cybersecurity regulations with Troutman Pepper Privacy + Cyber Partner Kim Phan. With data breaches on the rise, the NYDFS has heightened its expectations for licensed entities in New York regarding data management. The finalized

On November 1, New York Governor Kathy Hochul announced that the state’s Department of Financial Services (NY DFS) has amended its Cybersecurity Regulations to “enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats.” According to the NY DFS, key changes in the regulations include: enhanced governance requirements;  additional controls to prevent unauthorized access to information systems and mitigate the spread of an attack; requirements for more regular risk assessments, as well as a more robust incident response plans; updated notification requirements; and updated direction for companies to invest in at least annual training and cybersecurity awareness programs that are relevant to their business model. The newly amended compliance requirements will take effect in phases. 

On October 30, President Biden issued a sweeping Executive Order calling on Congress to enact privacy laws and directing federal agencies to review existing rules and potentially explore new rulemakings governing the use of artificial intelligence (AI) across various sectors of the U.S. economy. Among other things, the Executive Order will require AI system developers to submit safety test results to the federal government, establish standards for detecting AI-generated content to fight consumer fraud, and develop AI tools to identify and fix vulnerabilities in critical software. According to the White House fact sheet, the stated goal of the Executive Order is to “ensure that America leads the way in seizing the promise and managing the risks of [AI].” To that end, the Executive Order focuses on national security, privacy, discrimination and bias, healthcare safety, workplace surveillance, innovation, and global leadership.

On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.

On October 19, the Consumer Financial Protection Bureau (CFPB) issued its highly anticipated notice of proposed rulemaking under Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA). The proposed Personal Financial Data Rights Rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ accounts, establish obligations for third parties accessing a consumer’s data, and provide basic standards for data access. Notably, the proposed rule only provides for narrow exceptions, such as community banks and credit unions that have no digital interface with their customers. The CFPB is currently accepting comments on the proposed rule until December 29, 2023.

As discussed here, on September 21 the Consumer Financial Protection Bureau (CFPB) released an outline of its plans for rulemaking under the Fair Credit Reporting Act (FCRA). The outline was supplied for initial comment to a panel of small business representatives convened under the Small Business Regulatory Enforcement Fairness Act (SBREFA).

Please join Troutman Pepper Partners Kim Phan and Stefanie Jackman for a special podcast episode showcasing our firm’s state and federal legislative and regulatory tracking products. These powerful tools were designed to inform industry professionals about the latest state and federal legislative and regulatory developments in order to aid organizations with their compliance management systems and initiatives. The weekly trackers focus on three areas: debt collection, privacy and data security, and consumer reporting and Fair Credit Reporting Act case law. In addition to a weekly tracker, you will be invited to participate in monthly roundtable discussions with Kim and Stefanie. You will also have access to a searchable online portal, which houses all of the information sent out in the weekly updates plus the topics covered in our monthly roundtables. Please tune in to learn more about receiving this valuable tool for your organization.

The Consumer Financial Protection Bureau (CFPB) today outlined a plan for rulemaking under the Fair Credit Reporting Act (FCRA) that could significantly impact the entire consumer data ecosystem. The proposed rulemaking could redefine “data brokers” and “data aggregators” and extend FCRA regulation to businesses that do not currently meet the FCRA’s definition of “consumer reporting agency.” The CFPB’s plan could also impose stricter rules for obtaining consumer consent and increase compliance requirements and risks for both new and existing members of the FCRA-regulated consumer data ecosystem.

Join us for the third episode in a special three-part series covering the CFPB’s intention to propose new rules under the Fair Credit Reporting Act (FCRA). In this episode, Troutman Pepper Partners Chris Willis, Dave Gettings, Kim Phan, Ethan Ostroff, and Ron Raether discuss the potential implications of regulating data brokers under the FCRA, and how this might affect data brokers as well as other types of entities, including users, consumer reporting agencies, and resellers.