On October 16, the New York State Department of Financial Services (NY DFS) issued an industry letter to entities regulated by NY DFS (covered entities) providing guidance addressing the cybersecurity risks associated with the use of artificial intelligence (AI). The guidance purportedly aims to assist covered entities in understanding and assessing cybersecurity risks associated with threats arising from the use of AI by cybercriminals and the controls that may be used to mitigate those risks. The NY DFS emphasizes that this new guidance does not impose any new requirements on covered entities, but rather it provides an outline for meeting existing compliance obligations under the NY DFS Cybersecurity Regulation, 23 NYCRR Part 500, in light of the advancements in AI technology.

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a report entitled Identity-Related Suspicious Activity: 2021 Threats and Trends highlighting threat patterns and trend information derived from financial institutions’ Bank Secrecy Act (BSA) filings for the calendar year 2021. Financial institutions are required to file suspicious activity reports no later than 30 calendar days after the initial detection of facts that could constitute suspicious activity.

In a case of first impression, the U.S. Court of Appeals for the Ninth Circuit was tasked with determining whether the alleged extracting and retaining of consumer data and tracking of customers using an online payment platform exposes defendants to personal jurisdiction in the state where an online purchase was made. The court concluded it does not. “When a company operates a nationally available e-commerce payment platform and is indifferent to the location of end-users, the extraction and retention of consumer data, without more, does not subject the defendant to specific jurisdiction in the forum where the online purchase was made.”

On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.

The Delete Act (SB 362), signed into law by California Gov. Gavin Newsom on October 10, imposes additional disclosure and registration requirements on data brokers. It requires data brokers to support deletion requests through a central “deletion mechanism” managed by the California Privacy Protection Agency (CPPA). The law also empowers consumers to request deletion of their personal information from all registered data brokers with a single submission.

The Consumer Financial Protection Bureau (CFPB) today outlined a plan for rulemaking under the Fair Credit Reporting Act (FCRA) that could significantly impact the entire consumer data ecosystem. The proposed rulemaking could redefine “data brokers” and “data aggregators” and extend FCRA regulation to businesses that do not currently meet the FCRA’s definition of “consumer reporting agency.” The CFPB’s plan could also impose stricter rules for obtaining consumer consent and increase compliance requirements and risks for both new and existing members of the FCRA-regulated consumer data ecosystem.

The modern “Information Age” has been defined by rapidly increasing interconnectivity and dependence on the internet by consumers and businesses alike. One side effect of these technological advances has been the increasing frequency of cyberattacks and data breaches perpetrated by sophisticated cyber criminals using ever-evolving methods of infiltration. And, as can be expected, along with the increase in data breaches over the past few decades, we have seen the rise of data breach litigation, and in particular, consumer class action litigation against the companies who have been victimized by those data breaches. The Fourth Circuit has seen several high-profile data breach class actions. Such class actions often face difficult uphill battles in proving the necessary elements for class certification, particularly when it comes to defining a theory of harm that can be proven by common evidence across the class. Last month, Judge Gibney of the Richmond Division of the Eastern District of Virginia dismissed one such data breach class action case for a more basic problem: the named plaintiffs could not demonstrate they had suffered any concrete injury sufficient to establish Article III standing at all, let alone damages that could be proven classwide. Holmes v. Elephant Ins. Co., No. 3:22cv487, 2023 WL 4183380 (E.D. Va. June 26, 2023).

On April 3, the U.S. Department of Justice (DOJ) announced that it has seized virtual currency worth an estimated $112 million linked to cryptocurrency investment scams. Seizure warrants for six virtual currency accounts were authorized by judges in the District of Arizona, the Central District of California, and the District of Idaho. The virtual currency

Q: Does a BIPA claim accrue each time a person’s biometrics are scanned or only with the first such scan?

A: A BIPA claim accrues with each scan.

On February 17, the Illinois Supreme Court issued its long-awaited decision in Cothron v. White Castle, holding that a claim under Illinois’ Biometric Information Privacy Act

As discussed here, on October 27, 2022, the CFPB released an Outline of Proposals and Alternatives Under Consideration for public comments on the CFPB’s Section 1033 rulemaking. The window for providing written feedback closed on January 25, 2023. Below we have highlighted some of the submissions by industry and consumer groups.

The proposed rules