The FTC’s recently updated rule implementing GLB standards for safeguarding customer information replaces the flexibility previously given to financial institutions in developing an information security program with new prescriptive requirements.  Our discussion topics include what these new requirements mean for specific aspects of such programs, assigning employee responsibility, conducting risk assessments, installing access controls, using

We discuss the new notification requirements that the final rule places on both U.S. banking organizations and bank service providers relating to ransomware and similar computer security incidents, including the mandated timing for providing notice, and how the final rule differs from the agencies’ proposal.  We also look at the compliance challenges presented by the

As anticipated, the OCC, Federal Reserve Board, and FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”).  The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both U.S. banking organizations, as well as bank service

The FTC’s final rule released last week amending its Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) will require significant changes in data security policies and procedures to be made by non-bank financial institutions covered by the Safeguards Rule.  Such institutions include finance companies, mortgage companies and brokers, motor vehicle dealers,

The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.)  The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.

The Guidance contains risk management principles

Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation.  The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase.  The publication of CyberLitigation comes at an

In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing.

The case is McMorris v. Carlos Lopez & Associates, LLP (CLA).  CLA offers mental

On March 3rd, the New York Department of Financial Services (“NYDFS”) announced a settlement with Residential Mortgage Services, Inc. (“RMS”) to resolve allegations that RMS violated the NYDFS Cybersecurity Regulation relating to a 2019 cyber breach.

In July 2020, NYDFS conducted an examination of RMS as a licensed mortgage banker.  During the examination,

Subscribers to each service will receive weekly emails and have the opportunity to discuss developments in each area during a monthly call.  Additionally, subscribers will be enrolled in an interactive, searchable, online database that enables subscribers to have 24-hour access to our information and analysis.

To further educate our current subscribers and anyone else interested

On December 15th, the FTC announced in a press release that it had reached a settlement with a mortgage industry data analytics company to resolve allegations in the FTC’s administrative complaint that the company had failed to ensure one of its vendors was adequately securing personal data about tens of thousands of mortgage holders under