Privacy + Cyber

Subscribe to Privacy + Cyber

The Consumer Financial Protection Bureau (CFPB) today outlined a plan for rulemaking under the Fair Credit Reporting Act (FCRA) that could significantly impact the entire consumer data ecosystem. The proposed rulemaking could redefine “data brokers” and “data aggregators” and extend FCRA regulation to businesses that do not currently meet the FCRA’s definition of “consumer reporting agency.” The CFPB’s plan could also impose stricter rules for obtaining consumer consent and increase compliance requirements and risks for both new and existing members of the FCRA-regulated consumer data ecosystem.

The modern “Information Age” has been defined by rapidly increasing interconnectivity and dependence on the internet by consumers and businesses alike. One side effect of these technological advances has been the increasing frequency of cyberattacks and data breaches perpetrated by sophisticated cyber criminals using ever-evolving methods of infiltration. And, as can be expected, along with the increase in data breaches over the past few decades, we have seen the rise of data breach litigation, and in particular, consumer class action litigation against the companies who have been victimized by those data breaches. The Fourth Circuit has seen several high-profile data breach class actions. Such class actions often face difficult uphill battles in proving the necessary elements for class certification, particularly when it comes to defining a theory of harm that can be proven by common evidence across the class. Last month, Judge Gibney of the Richmond Division of the Eastern District of Virginia dismissed one such data breach class action case for a more basic problem: the named plaintiffs could not demonstrate they had suffered any concrete injury sufficient to establish Article III standing at all, let alone damages that could be proven classwide. Holmes v. Elephant Ins. Co., No. 3:22cv487, 2023 WL 4183380 (E.D. Va. June 26, 2023).

On April 3, the U.S. Department of Justice (DOJ) announced that it has seized virtual currency worth an estimated $112 million linked to cryptocurrency investment scams. Seizure warrants for six virtual currency accounts were authorized by judges in the District of Arizona, the Central District of California, and the District of Idaho. The virtual currency

Q: Does a BIPA claim accrue each time a person’s biometrics are scanned or only with the first such scan?

A: A BIPA claim accrues with each scan.

On February 17, the Illinois Supreme Court issued its long-awaited decision in Cothron v. White Castle, holding that a claim under Illinois’ Biometric Information Privacy Act

As discussed here, on October 27, 2022, the CFPB released an Outline of Proposals and Alternatives Under Consideration for public comments on the CFPB’s Section 1033 rulemaking. The window for providing written feedback closed on January 25, 2023. Below we have highlighted some of the submissions by industry and consumer groups.

The proposed rules

Companies dealing with a data incident confront an uneven landscape and requirements that can differ from state to state. It is easy to feel lost. Find your way with Troutman Pepper’s new Incident Response Interactive Map, created by our cybersecurity attorneys.

With a simple and intuitive user experience, our U.S. map provides state-by-state definitions, notification

The deadline for complying with certain provisions of the Standards for Safeguarding Customer Information (Safeguards Rule) has been extended to June 9, 2023. As we previously posted, on January 10, the Federal Trade Commission’s (FTC) final rule amending the Safeguards Rule under the Gramm-Leach-Bliley Act became effective. The Safeguards Rule requires nonbanking financial institutions

In an October 27 letter, the American Bankers Association (ABA) expressed concern regarding a proposal currently being considered by the Consumer Financial Protection Bureau (CFPB) that would shift liability from consumers to banks for scams involving peer-to-peer (P2P) payments. This would include requiring banks to reimburse consumers for P2P payments made but later identified

At the Money 20/20 fintech conference, Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra announced his intent to move forward with the CFPB’s rulemaking under Section 1033 of the Consumer Financial Protection Act as part of the financial services industry’s movement toward “open banking,” a concept that involves the use of APIs that provide direct

On October 17, a U.S. District Court for the Western District of Washington issued an order and judgment, ending two related putative class actions alleging tech companies violated Illinois’ Biometric Information Privacy Act (BIPA) by using datasets containing geometric scans of their faces without their permission. The court granted summary judgment in favor of