Privacy + Cyber

Subscribe to Privacy + Cyber via RSS

On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.

The Delete Act (SB 362), signed into law by California Gov. Gavin Newsom on October 10, imposes additional disclosure and registration requirements on data brokers. It requires data brokers to support deletion requests through a central “deletion mechanism” managed by the California Privacy Protection Agency (CPPA). The law also empowers consumers to request deletion of their personal information from all registered data brokers with a single submission.

The Consumer Financial Protection Bureau (CFPB) today outlined a plan for rulemaking under the Fair Credit Reporting Act (FCRA) that could significantly impact the entire consumer data ecosystem. The proposed rulemaking could redefine “data brokers” and “data aggregators” and extend FCRA regulation to businesses that do not currently meet the FCRA’s definition of “consumer reporting agency.” The CFPB’s plan could also impose stricter rules for obtaining consumer consent and increase compliance requirements and risks for both new and existing members of the FCRA-regulated consumer data ecosystem.

The modern “Information Age” has been defined by rapidly increasing interconnectivity and dependence on the internet by consumers and businesses alike. One side effect of these technological advances has been the increasing frequency of cyberattacks and data breaches perpetrated by sophisticated cyber criminals using ever-evolving methods of infiltration. And, as can be expected, along with the increase in data breaches over the past few decades, we have seen the rise of data breach litigation, and in particular, consumer class action litigation against the companies who have been victimized by those data breaches. The Fourth Circuit has seen several high-profile data breach class actions. Such class actions often face difficult uphill battles in proving the necessary elements for class certification, particularly when it comes to defining a theory of harm that can be proven by common evidence across the class. Last month, Judge Gibney of the Richmond Division of the Eastern District of Virginia dismissed one such data breach class action case for a more basic problem: the named plaintiffs could not demonstrate they had suffered any concrete injury sufficient to establish Article III standing at all, let alone damages that could be proven classwide. Holmes v. Elephant Ins. Co., No. 3:22cv487, 2023 WL 4183380 (E.D. Va. June 26, 2023).

On April 3, the U.S. Department of Justice (DOJ) announced that it has seized virtual currency worth an estimated $112 million linked to cryptocurrency investment scams. Seizure warrants for six virtual currency accounts were authorized by judges in the District of Arizona, the Central District of California, and the District of Idaho. The virtual currency

Q: Does a BIPA claim accrue each time a person’s biometrics are scanned or only with the first such scan?

A: A BIPA claim accrues with each scan.

On February 17, the Illinois Supreme Court issued its long-awaited decision in Cothron v. White Castle, holding that a claim under Illinois’ Biometric Information Privacy Act

As discussed here, on October 27, 2022, the CFPB released an Outline of Proposals and Alternatives Under Consideration for public comments on the CFPB’s Section 1033 rulemaking. The window for providing written feedback closed on January 25, 2023. Below we have highlighted some of the submissions by industry and consumer groups.

The proposed rules

The deadline for complying with certain provisions of the Standards for Safeguarding Customer Information (Safeguards Rule) has been extended to June 9, 2023. As we previously posted, on January 10, the Federal Trade Commission’s (FTC) final rule amending the Safeguards Rule under the Gramm-Leach-Bliley Act became effective. The Safeguards Rule requires nonbanking financial institutions

In an October 27 letter, the American Bankers Association (ABA) expressed concern regarding a proposal currently being considered by the Consumer Financial Protection Bureau (CFPB) that would shift liability from consumers to banks for scams involving peer-to-peer (P2P) payments. This would include requiring banks to reimburse consumers for P2P payments made but later identified

At the Money 20/20 fintech conference, Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra announced his intent to move forward with the CFPB’s rulemaking under Section 1033 of the Consumer Financial Protection Act as part of the financial services industry’s movement toward “open banking,” a concept that involves the use of APIs that provide direct