Privacy + Cyber

Subscribe to Privacy + Cyber via RSS

In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.

In 2025, the U.S. digital asset landscape evolved more dramatically than in any year since the industry’s inception. A pro‑innovation White House, an active Congress, and key regulators — including the U.S. Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Office of the Comptroller of the Currency (OCC), the Department of

In this crossover episode of Payments Pros and The Consumer Finance Podcast, guest host Taylor Gess dives into the rapidly evolving world of point-of-sale financing for medical and dental procedures with Troutman Pepper Locke Partners Jason Cover, Brent Hoard, and Erin Whaley. They unpack how HIPAA, business associate relationships, and information-sharing structures can impact financing programs in clinical settings. They explore state-level trends in California, Illinois, and New York, including new restrictions on provider involvement in financing, promotional offers, and payments. The discussion also highlights emerging risks around website tracking technologies, payment portals, and wiretapping-style lawsuits targeting digital health and payment ecosystems. Listeners will come away with a practical framework for structuring medical and dental financing arrangements, managing disputes, and anticipating the next wave of state-level regulation and enforcement.

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Ted Augustinos and Kim Phan to introduce The Money Matrix, an upcoming webinar series helping financial institutions navigate privacy, data security, and AI in today’s complex digital landscape. The teaser highlights strategies to secure financial data, overcome barriers to adopting AI, and stay ahead of regulatory trends. Each session offers practical guidance to help teams like Neo, Trinity, and Morpheus remain innovative, compliant, and trusted. The series explores how financial institutions can balance innovation with data privacy while leveraging AI responsibly.

In this episode of The Consumer Finance Podcast, Chris Willis is joined by colleagues Jason Manning, Angelo Stio, and Rob Jenkin to unpack the surge of litigations arising from the use of tracking technologies (e.g., cookies, pixels, and session tools) on websites. This episode explains how plaintiff firms are repurposing federal and state wiretap and “trap-and-trace” laws, as well as the Video Privacy Protection Act (VPPA), to assert claims associated with a business’s use of tracking technologies without consent. 

Key point: Courts are concluding that not all data breaches should result in a lawsuit. Businesses need to consider causation and damages when responding to an incident and take steps to determine if there is no evidence of harm or traceability including on a class wide basis.

Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.

On July 28, the New Jersey Division of Consumer Affairs issued a reminder to more than 3,000 auto dealerships regarding their obligations under the New Jersey data deletion law, N.J.S.A. § 56:12-18.1. This law, enacted and effective in January 2024, requires dealerships to offer data deletion services for consumer information stored in vehicles accepted for resale or lease. Dealerships are now on notice of their compliance obligations under the law.

On October 16, the New York State Department of Financial Services (NY DFS) issued an industry letter to entities regulated by NY DFS (covered entities) providing guidance addressing the cybersecurity risks associated with the use of artificial intelligence (AI). The guidance purportedly aims to assist covered entities in understanding and assessing cybersecurity risks associated with threats arising from the use of AI by cybercriminals and the controls that may be used to mitigate those risks. The NY DFS emphasizes that this new guidance does not impose any new requirements on covered entities, but rather it provides an outline for meeting existing compliance obligations under the NY DFS Cybersecurity Regulation, 23 NYCRR Part 500, in light of the advancements in AI technology.