Privacy + Cyber

Subscribe to Privacy + Cyber via RSS

In this crossover episode of Payments Pros and The Consumer Finance Podcast, guest host Taylor Gess dives into the rapidly evolving world of point-of-sale financing for medical and dental procedures with Troutman Pepper Locke Partners Jason Cover, Brent Hoard, and Erin Whaley. They unpack how HIPAA, business associate relationships, and information-sharing structures can impact financing programs in clinical settings. They explore state-level trends in California, Illinois, and New York, including new restrictions on provider involvement in financing, promotional offers, and payments. The discussion also highlights emerging risks around website tracking technologies, payment portals, and wiretapping-style lawsuits targeting digital health and payment ecosystems. Listeners will come away with a practical framework for structuring medical and dental financing arrangements, managing disputes, and anticipating the next wave of state-level regulation and enforcement.

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Ted Augustinos and Kim Phan to introduce The Money Matrix, an upcoming webinar series helping financial institutions navigate privacy, data security, and AI in today’s complex digital landscape. The teaser highlights strategies to secure financial data, overcome barriers to adopting AI, and stay ahead of regulatory trends. Each session offers practical guidance to help teams like Neo, Trinity, and Morpheus remain innovative, compliant, and trusted. The series explores how financial institutions can balance innovation with data privacy while leveraging AI responsibly.

In this episode of The Consumer Finance Podcast, Chris Willis is joined by colleagues Jason Manning, Angelo Stio, and Rob Jenkin to unpack the surge of litigations arising from the use of tracking technologies (e.g., cookies, pixels, and session tools) on websites. This episode explains how plaintiff firms are repurposing federal and state wiretap and “trap-and-trace” laws, as well as the Video Privacy Protection Act (VPPA), to assert claims associated with a business’s use of tracking technologies without consent. 

Key point: Courts are concluding that not all data breaches should result in a lawsuit. Businesses need to consider causation and damages when responding to an incident and take steps to determine if there is no evidence of harm or traceability including on a class wide basis.

Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.

On July 28, the New Jersey Division of Consumer Affairs issued a reminder to more than 3,000 auto dealerships regarding their obligations under the New Jersey data deletion law, N.J.S.A. § 56:12-18.1. This law, enacted and effective in January 2024, requires dealerships to offer data deletion services for consumer information stored in vehicles accepted for resale or lease. Dealerships are now on notice of their compliance obligations under the law.

On October 16, the New York State Department of Financial Services (NY DFS) issued an industry letter to entities regulated by NY DFS (covered entities) providing guidance addressing the cybersecurity risks associated with the use of artificial intelligence (AI). The guidance purportedly aims to assist covered entities in understanding and assessing cybersecurity risks associated with threats arising from the use of AI by cybercriminals and the controls that may be used to mitigate those risks. The NY DFS emphasizes that this new guidance does not impose any new requirements on covered entities, but rather it provides an outline for meeting existing compliance obligations under the NY DFS Cybersecurity Regulation, 23 NYCRR Part 500, in light of the advancements in AI technology.

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a report entitled Identity-Related Suspicious Activity: 2021 Threats and Trends highlighting threat patterns and trend information derived from financial institutions’ Bank Secrecy Act (BSA) filings for the calendar year 2021. Financial institutions are required to file suspicious activity reports no later than 30 calendar days after the initial detection of facts that could constitute suspicious activity.

In a case of first impression, the U.S. Court of Appeals for the Ninth Circuit was tasked with determining whether the alleged extracting and retaining of consumer data and tracking of customers using an online payment platform exposes defendants to personal jurisdiction in the state where an online purchase was made. The court concluded it does not. “When a company operates a nationally available e-commerce payment platform and is indifferent to the location of end-users, the extraction and retention of consumer data, without more, does not subject the defendant to specific jurisdiction in the forum where the online purchase was made.”