Equifax announced on September 7, 2017 a massive data breach affecting an estimated 143 million consumers.  Richard Cordray, the then Director of the CFPB, shortly thereafter authorized an investigation according to several media reports.  Reuters reported yesterday that the investigation sputtered since then, according to several government and industry sources.  That is not surprising since there is substantial doubt as to whether the CFPB has enforcement jurisdiction over data breaches.  See our March 3, 2016 blog about the one and only data security enforcement action taken by the CFPB.  Professor Jeff Sovern acknowledged yesterday in the Consumer Law and Policy Blog that “the CFPB has very limited jurisdiction over the Equifax data breach, if it has any jurisdiction anyway….”

Equifax is reportedly being investigated by every state attorney general and the FTC and is facing an onslaught of class actions.  So even though the CFPB appears not to be involved in the Equifax matter, this has not stopped the FTC and the state attorneys general from aggressively pursuing their own investigations.  This underscores the point we will be emphasizing during our webinar tomorrow entitled:  “Who Will Fill the Void Left Behind by the CFPB?”  It is not too late to register here.

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.


Last week, the OCC released its semiannual risk report highlighting credit, operational, and compliance risks to the federal banking system.  The report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource by those financial institutions to address the key concerns identified by the OCC.  Specifically, the OCC placed cybersecurity and anti-money laundering (AML) issues among the three top concerns highlighted in the report.

The OCC called for banks to remain vigilant against the operational risks that arise from efforts to adapt business models, transform technology and operating processes, and respond to increasing cybersecurity threats.  The OCC stated that:

  • “The speed and sophistication of cybersecurity threats are increasing. Banks continually face threats seeking to exploit bank personnel, processes, and technology. These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate fraud and misappropriation of funds at the retail and wholesale levels.”
  • “Phishing is a primary method for breaching data systems and often leads to other malicious activity, such as installing ransomware, compromising internal systems to effect payments, or conducting espionage. Effective user awareness campaigns and training help prevent phishing attacks. Timely and thorough software patch and system update management, strong risk-based authentication, employee training, and effective network segmentation can prevent further damage if intrusions succeed.”
  • “The number, nature, and complexity of third-party relationships continue to expand, increasing risk management challenges for banks. Financial technology companies providing innovative financial products and services introduce opportunities, as well as potential risk, for banks.”
  • “Consolidation among larger service providers has increased third-party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Operational events at these larger service providers can potentially affect wide segments of the financial industry.”
  • “The volume of products and services and the complexity of end-to-end processes for delivery in larger, complex banks are key drivers influencing the current level of operational risk. Insufficient monitoring and limited internal testing have failed to detect product and service delivery disruptions, resulting in slowed responses by banks and prolonged impact to customers. This condition is especially true of banks with legacy or disparate management information systems and risk management programs that may be ineffective.

The OCC also called for banks to address the compliance risks related to managing money laundering risks in an increasingly complex risk environment. The OCC stated that:

  • “The challenge for banks to comply with Bank Secrecy Act (BSA) requirements persists due to dynamism of money laundering and terrorism-financing methods. Also, bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit.”
  • “In addition, BSA and anti-money laundering AML compliance risk management systems may not keep pace with evolving risks, constraints on resources, changes in business models, and an increasingly complex risk environment.”
  • “New and amended regulations strain bank change management processes and compliance management systems, which increases operational, compliance, and reputation risks. These changes include the integrated mortgage disclosures under the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA), as well as the new requirements under the amended regulations implementing the HMDA and the MLA.”
  • “Many banks face difficulties validating processes and systems that rely on software, automated tools, disclosure forms, and third-party relationships to process loan applications, create and distribute disclosures, and underwrite and close loans. Sound risk management practices should include maintaining processes and systems that are sufficient to identify covered borrowers and loan products, producing accurate calculations and required disclosures, and incorporating other required protections.”
  • “Some banks have difficulty fully and accurately implementing the significant system and operational changes necessary for the integrated mortgage disclosure forms—Loan Estimate and Closing Disclosure—required for most mortgage loans secured by real property… Banks need consumer compliance risk management and audit functions sufficient to promote ongoing compliance with the regulation.”

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

On December 14, the Financial Stability Oversight Council (FSOC), which was established by the Dodd-Frank Act to analyze and mitigate potential threats to the financial sector, released its first report under the Trump administration (the “Report”).  FSOC is comprised of representatives from each of the federal financial regulators, including the CFPB.  Mick Mulvaney, President Trump’s designee as CFPB Acting Director, signed the report on behalf of the CFPB.

Among other risk areas discussed in the Report, the FSOC identifies cybersecurity as the first area of risk to be addressed by financial institutions.  The FSOC also calls on the federal financial regulatory agencies and the Treasury Department to ensure that banking institutions and third parties are adequately safeguarding against cyber intrusions.  Specifically, the Report urges improvement in the following areas:

  • Executive Oversight. The FSOC “underscores the necessity of sustained senior-level attention on cybersecurity risks and their potential systemic implications.”  To that end, the FSOC recommends the creation of a council of senior executives that would be focused on cybersecurity issues and responsible for liaising with regulators.
  • Information Sharing. In order to develop a better understanding of operational risks, improve risk-mitigation efforts, and enhance the financial sector’s security and resilience, the FSOC encourages the sharing of threat information and known vulnerabilities among government agencies and between the public and private sectors.
  • Cybersecurity Standards. The FSOC recommends that financial regulators establish a “harmonized risk-based approach” when addressing cybersecurity among financial institutions, including utilizing the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework) and developing a common lexicon when discussing these issues with regulated companies.  The Report notes that a common lexicon should be created within both the domestic and international financial sectors, and points to the approaches of other G7 countries for instruction.
  • Third-party Service Providers. The FSOC encourages financial institutions to address cybersecurity risks related to third-party service providers and adopt the use of appropriately tailored language in vendor contracts.
  • Coordination of Response and Recovery Processes. The Report states that the Financial and Banking Information Infrastructure Committee (FBIIC) should continue to promote processes to strengthen response and recovery efforts while working closely with the Department of Homeland Security (DHS), law enforcement, and industry partners to carry out regular cybersecurity exercises.

Financial institutions and their service providers should enhance their cybersecurity protocols to address the Report’s recommendations.  Based on the Report, we suggest that companies, at a minimum, consider preparing Board presentations that appropriately discuss the legal risks associated with cybersecurity, implementation of the NIST Framework as appropriate, and incorporation of cybersecurity provisions into vendor contracts.

The cities of Chicago and San Francisco and the Massachusetts Attorney General have filed the first enforcement actions against Equifax following the announcement of a data breach affecting an estimated 143 million consumers.  Equifax announced the data breach on September 7, 2017, after hackers allegedly exploited a vulnerability in open-source software used by Equifax to create its online consumer dispute portal.

The first suits were filed on September 26th by the Massachusetts Attorney General and San Francisco.  Massachusetts’s complaint was filed in Superior Court in Suffolk County and alleges that Equifax knew or should have known about the vulnerability and that hackers were attempting to exploit it, but that Equifax failed to take known and available measures to prevent the breach.  Massachusetts asserts claims for violations of the Massachusetts data privacy statute and the Massachusetts Consumer Protection Act prohibiting unfair and deceptive practices based on Equifax’s alleged failure to give timely notice of the breach, failure to safeguard personal information, and failure to take other actions that Equifax was uniquely positioned to provide that would have mitigated damages to Massachusetts consumers.  The Massachusetts Attorney General is seeking unspecified civil penalties, disgorgement of profits, restitution, costs and attorney’s fees.

San Francisco’s complaint, filed in the Superior Court of San Francisco, asserts claims under the California Business and Professions Code for unlawful, unfair or fraudulent business practices, alleging that Equifax failed to maintain reasonable security practices and procedures, failed to provide timely notice of the security breach, and failed to provide complete, plain and clear information when notice was provided.  The lawsuit seeks restitution for all California consumers, civil penalties up to $2,500 per violation of law, restitution, costs, and a court order requiring Equifax to implement and maintain appropriate security procedures in the future.

Finally, the City of Chicago filed suit on September 28th in Cook County Circuit Court and asserts claims arising under both state law and city ordinance.  Specifically, Chicago alleges Equifax violated a local ordinance prohibiting fraudulent, unfair, and deceptive business practices, as well as the Illinois Consumer Fraud and Deceptive Business Practices Act.  Chicago’s claims are based on allegations that Equifax failed to give prompt notice of the breach, failed to safeguard personal information, and deceived consumers by requiring them to waive their legal rights in exchange for credit monitoring services and by misrepresenting that the offered credit monitoring was free.  Chicago seeks civil monetary penalties in the amount of $10,000 for each day a violation has existed that involves a Chicago resident, restitution, and injunctive relief requiring Equifax to maintain adequate security measures to prevent data breaches.

These are likely just the first of many lawsuits to be filed against Equifax by state and local officials.  Further action at both the federal and state level seems all but certain.  For example, the Federal Trade Commission and Department of Justice have confirmed they are investigating the breach, and the New York Department of Financial Services confirmed that it recently issued a subpoena to Equifax for more information about the breach.  This vigorous and immediate government enforcement effort further supports our position that private class action lawsuits are an unnecessary and inappropriate tool for vindicating any harm caused by the data breach.  We will continue to follow these significant cases and update you as events unfold.

The recent data breach disclosure by Equifax raised an outcry from consumer advocates trying to link the data breach to the Consumer Financial Protection Bureau’s (CFPB) final arbitration rule.  They are portraying this cybersecurity incident as a prime example of why class actions are needed to protect consumers, hoping to persuade the U.S. Senate not to repeal the rule under the Congressional Review Act.  The CFPB rule bars financial services companies from including class action waivers in consumer arbitration agreements beginning on March 19, 2018.

The Senate should disregard their arguments.  While the CFPB arbitration rule covers some credit reporting company activities, it does not appear to cover data breaches such as this one.  Therefore, the Equifax data breach has nothing to do with the CFPB arbitration rule.  In any event, the issue appears to be moot, since according to published reports Equifax has stated that it will not seek to apply its on-line arbitration clause and class action waiver to claims based on the data breach itself.

Consumer advocates have also criticized Equifax for purportedly requiring consumers who may have been affected by the data breach and who want to sign up for the company’s offer to provide free credit protection services to agree to arbitrate claims from those services (unless they exercise their right to opt out of the arbitration clause), but Equifax has made clear that its arbitration clause and class action waiver will not apply to this cybersecurity event.  But lost in the hubbub is the fact that claims of this nature would appear to be inherently individualized and not susceptible to class action treatment since the facts pertinent to each consumer’s account presumably will be unique.

Ultimately, this incident exemplifies why the Senate should vote to repeal the CFPB arbitration rule.  The CFPB, the Federal Trade Commission and state attorneys general (most notably Attorney General Schneiderman of New York) got involved almost immediately and will advocate on behalf of consumers more efficiently and effectively than class action lawsuits, without siphoning off a hefty attorneys’ fee if they prevail.

On May 15, 2017, the Federal Reserve Office of Inspector General – which also oversees the CFPB – released a report finding deficiencies in the CFPB Office of Enforcement’s (Enforcement) processes for securing sensitive information.  The evaluation, conducted between February 2016 and July 2016, reviewed Enforcement’s processes for protecting the information it collects from the entities subject to its investigations and litigation activities related to potential violations of federal consumer financial laws, referred to as confidential investigative information (CII).

First, the Report found that access to matters containing CII was not always restricted to employees that required it to perform their assigned duties – during the time period evaluated, the OIG identified 113 individuals with access to matters when they no longer needed it.  Although CFPB policy is to require that access to high-sensitivity information, including CII, be restricted to individuals “with a demonstrated business need;” employees were generally allowed broad access to the network drive containing CII.  To address these issues, the Report offered five recommendations: (1) formalize in policy that employees should be granted access to Enforcement’s review tools and network drive matter folders only when such access is relevant to their assigned duties; (2) update policies and procedures to specify the process for approving and updating matter folder access rights for Enforcement’s review tools and network drive; (3) expand existing training for employees to reinforce guidance on Enforcement’s  interpretation that “demonstrated business need” means relevance to performing assigned duties, and the access approval and updating process for Enforcement’s review tools and network drive; (4) develop and implement a monitoring and testing approach to periodically confirm that Enforcement’s matter folders are appropriately restricted; and (5) coordinate with the Chief Information Officer to ensure that the new cloud environment, which is intended to replace the network drive, includes access approval and monitoring capabilities that meet the current and future needs of Enforcement.

Second, the Report found that Enforcement employees did not consistently follow CFPB guidelines for safeguarding CII, were unaware of certain aspects of the CFPB’s policies, and did not understand how relevant policies applied to their daily work activities.  The Report offered three recommendations to address this issue: (1) develop and implement operational procedures specific to Enforcement for handling printed high-sensitivity information, including but not limited to information labeling requirements and the use of cover sheets; (2) establish a strategy to periodically reinforce handling and safeguarding requirements and establish a monitoring approach to test compliance with information handling and safeguarding policies and procedures; and (3) monitor securable, access-controlled storage space, including but not limited to lockable cabinets and offices, to ensure that it meets the needs of all Enforcement employees.

Lastly, the Report found that Enforcement’s lack of a uniform naming convention hindered its ability to monitor and maintain access to matter folders.  The Report found that matter folder names were not uniform, with several instances of duplicate matters, and matters were inconsistently identified across different systems.  This hindered management’s ability to: (1) locate documents; (2) assign and monitor access to matter folders; and (3) ensure uniform and complete documentation or data for a matter.  The Report recommended developing a policy to establish a standard naming convention for matter folders and other relevant Enforcement folders to be used across all Enforcement applications and internal drives.

The Report raises significant – and continuing – concerns regarding Enforcement’s ability to safeguard the information it collects in the course of its investigations.  The Report follows the OIG’s September 29, 2016, memorandum, which identified information security as an area of improvement for CFPB management (see our prior blog post).  It is also interesting to note that the Report’s review period coincides with Enforcement’s March 2016 consent order with Dwolla, which marked Enforcement’s first – and to date, its only – foray into the data security realm (see our blog post on the consent order).  The Report’s findings highlight Enforcement’s continued struggle to satisfy the same internal data security requirements that it expects companies to maintain.  Enforcement’s failure to restrict access to sensitive information creates a risk of unauthorized disclosure.  Moreover, while the Report notes that former employees do not pose a significant risk due to the fact that they should no longer have access to the CFPB’s network, the fact that their access has not been restricted provides at least some reason for concern that these individuals may be able to misuse this information.

New Mexico recently became the 48th state to enact a data breach notification law.  This continues the accelerated pace of state data breach legislative activity in the last two years.  Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.

Among the most significant aspects of New Mexico’s brand new “Data Breach Notification Act” is its definition of “Personal Identifying Information.”  The Act follows a growing state trend by including “biometric data” in its definition of “personal identifying information.  In addition, “security breach” is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired.  The Act contains an exemption from the requirement to provide notice within 45 calendar days after discovery of the breach for persons subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.

For more information on the new law, see our legal alert.



On September 29th, the Office of the Inspector General (OIG) that oversees the CFPB released a memorandum detailing the major management challenges facing the CFPB.  The memo identified four areas of improvement that, unless addressed, would otherwise hamper the CFPB’s ability to accomplish its strategic objectives:

  • Ensuring an Effective Information Security Program
  • Ensuring Comprehensive Policies and Procedures Are in Place and Followed
  • Maturing the Human Capital Program
  • Managing and Acquiring Sufficient Workspace to Support CFPB Activities

Despite the vast quantities of consumer information being collected by the CFPB as part of its consumer protection mission, the CFPB has not fully implemented an information security continuous monitoring program, including a comprehensive data loss prevention system and oversight of contractor-operated information systems.  Furthermore, the CFPB has not fully implemented processes within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information.  Not only must the CFPB be concerned about hackers, the CFPB must also address the risk of insider threats.  A review of the CFPB website reveals that the CFPB makes very few representations about the level of security being provided for consumer information.  In the wake of the CFPB’s data security enforcement action against Dwolla, Inc. (see our prior blog post), the CFPB should be prepared to satisfy the same data security requirements that it expects to see among the companies that it regulates.

Additionally, the CFPB expects companies to maintain comprehensive compliance management systems, including written policies and procedures as well as employee training on those policies and procedures.  However, the OIG concluded that the CFPB does not have a comprehensive set of policies and procedures for some program areas, and that the CFPB did not fully ensure that its staff members were aware of and complied with its existing policies and procedures.  Despite clear guidance provided to industry about the minimum requirements of an effective compliance management system, as described in the CFPB Supervision and Examination Manual, the CFPB appears to have similar struggles in establishing its own internal governance.