On September 25, the Consumer Financial Protection Bureau issued a report on its sources and uses of data. This report was followed by a Request for Information regarding its data collection practices, published in the Federal Register on September 28. In some respects, both documents are a follow-up to Acting Director Mick Mulvaney’s December 2017 order to CFPB staff to cease collecting personally identifying information, pending a review of and improvements to the Bureau’s overall data security systems.

The Dodd-Frank Act states that the CFPB “shall seek to implement and … enforce Federal consumer financial law consistently for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that [those markets] are fair, transparent, and competitive.” The CFPB regularly obtains data about consumers to fulfill these statutory functions and obligations and its data collection practices under the leadership of former Director Cordray had been the subject of strong criticism from Republican lawmakers.

The 199-page report describes the sources and uses of data collected, as well as the processes governing the intake, use, access, and disclosure of any data by the Bureau. Appendix B to the report includes a list of the Bureau’s 188 data collections to date from public sources, government agencies, commercial vendors, financial institutions, and consumers. The list generally does not include data collections from consumers on a voluntary basis, such as through focus groups, one-on-one interviews, or user testing. Contained in the report’s Appendix C is a list of the Memoranda of Understanding between the Bureau and other agencies that address the sharing of data. 81 different governmental and quasi-governmental agencies are named in the list.

During its review of its data security systems, the CFPB signed an interagency agreement under which the Department of Defense provided risk assessment services to identify potential gaps in the Bureau’s cybersecurity controls. The Bureau concludes in the report that its security protocol is currently “well-organized and maintained” with no critical issues found.

The CFPB is now seeking public input regarding the overall effectiveness and efficiency of the Bureau’s data collection practices. It is asking the public to provide comments on aspects of its data collection program, such as:

  • The sources, uses, and scope of information the Bureau collects;
  • Ways the Bureau should or should not reuse data collected for one purpose to inform the other functions of the Bureau;
  • Ways to reduce the burden on future furnishers of information;
  • Activities the Bureau could engage in to make data collections from financial institutions more effective and efficient; and
  • Other changes that may assist the Bureau to more effectively meet its statutory purpose and objectives.

Public comments are due to the CFPB by December 27, 2018.

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The law defines “authentication” as “a method of verifying the authority of a user, process, or device to access resources in an information system.” It defines “connected device” as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” “Manufacturer” is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”

Notably, the law exempts certain activities from its requirements. For example, it does not impose a “duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.” It also does not apply “to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” And the law exempts HIPAA covered entities and business associates to the extent the activity in question is covered by that act.

Importantly, the law states that it does not create a private right of action and vests enforcement authority solely with the California Attorney General’s Office, a city attorney, a county counsel, or a district attorney.

California law also already requires businesses to notify affected individuals if the business experiences a data breach and allows for a private right of action. The newly enacted California Consumer Privacy Act of 2018 also provides for not only a private right of action for certain data breaches, but also for statutory damages of between $100 and $750 per consumer per incident. Therefore, the new law fits into a broader statutory landscape that IoT manufacturers should be aware of and should take steps to mitigate the risk of litigation. That is particularly true given that plaintiffs’ lawyers have publicly stated that they are preparing for an onslaught of IoT-related litigation.

The Senate Floor Analysis explained that the law is necessary because many IoT devices “collect a vast amount of personal and intimate information” which, if not properly secured, can be vulnerable to breaches. Further, many IoT devices “can be directly hacked into, allowing strangers to conduct surreptitious surveillance on homes or to communicate through devices directly.”

The law was enacted contemporaneously in both the California Senate and Assembly. It takes effect on January 1, 2020.

A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter.

Breach Notification Standard

The Gramm-Leach-Bliley Act (GLBA) currently requires covered entities to establish appropriate safeguards to ensure the security and confidentiality of customer records and information and to protect those records against unauthorized access to or use. The proposed House bill would amend and expand  GLBA to mandate notification to customers “in the event of unauthorized access that is reasonably likely to result in identify theft, fraud, or economic loss.”

To codify breach notification at the national level, the proposed legislation requires all GLBA covered entities to adopt and implement the breach notification standards promulgated by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervisor in its  Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. This guidance details the requirements for notification to individuals in the event of unauthorized access to sensitive information that has or is reasonably likely to result in misuse of that information, including timing and content of the notification.

While the Interagency Guidance was drafted specifically for the banking sector, the proposed legislation also covers insurance providers, investment companies, securities brokers and dealers, and all businesses “significantly engaged” in providing financial products or services.

If enacted, this legislation will preempt all laws, rules, and regulations in the financial services and insurance industries with respect to data security and breach notification.

Cohesiveness in the Insurance Industry

The proposed legislation provides uniform reporting obligations for covered entities – a benefit particularly for insurance companies who currently must navigate a maze of something conflicting state law breach notification standards. Under the proposed legislation, an assuming insurer need only notify the state insurance authority in the state in which it is domiciled. The proposed legislation also requires the insurance industry to adopt new codified standards for data security.

To ensure consistency throughout the insurance industry, the proposed legislation also prohibits states from imposing any data security requirement in addition to or different from the standards GLBA or the Interagency Guidance.

If enacted, this proposed legislation will substantially change the data security and breach notification landscape for the financial services and insurance industries. Entities within these industries should keep a careful eye on this legislation and proactively consider how these proposed revisions may impact their current policies and procedures.

The U.S. Department of the Treasury’s recent report evaluating economic opportunities presented by nonbank financial institution and fintech company innovations includes a detailed account of current data aggregation activities in the financial services marketplace and provides policy recommendations that shed light on the federal government’s current views on data aggregation. (See our legal alert and blog posts (here and here) for a discussion of other portions of the Treasury’s report.)  In seeking to harness the potential benefits that can come from data aggregation, the Treasury report firmly supports the inclusion of these market participants.

Following are key takeaways from the Treasury’s report with respect to data aggregation practices and regulatory issues.

  • BCFP and private sector should develop consumer disclosure best practices. The Treasury suggests that the Bureau of Consumer Financial Protection (BCFP) should develop, either with the private sector or pursuant to its rulemaking authority, consumer-facing disclosures that are “plain language, readily accessible, readable through the preferred device used by consumers to access services… so that consumers can give informed and affirmative consent regarding to whom they are granting access, what data is being accessed and shared, and for what purpose,” and to opt-out of such sharing.
  • APIs provide advantages and should be supported. The report raises a number of issues with screen scraping while promoting the benefits of application programming interfaces (APIs) “that allow for the inclusion of robust security features, greater transparency and access controls for consumers, improved data accuracy, and more predictable and manageable information technology costs.”  Following is a graphic from the report identifying the similarities and differences between bilateral/partnered API and open API arrangements.  It highlights how APIs can remove the need for fintech apps (users of aggregated data) and data aggregators to access consumers’ bank account login credentials and, therefore, supports Treasury’s suggestion that the private sector and financial regulators should work to implement API solutions that “address data sharing, [data normalization,] security, and liability [and should support] efforts to mitigate implementation costs for community banks and smaller financial services companies with more limited resources to invest in technology.”

  • Clarifying applicability of third-party oversight guidance to data aggregators. The report states that there is some ambiguity regarding when third-party oversight guidance issued by federal banking regulators applies to data aggregator relationships, noting that data aggregators entering into “an API agreement with a bank [] may become subject to third-party guidance because of the contractual relationship, which can increase compliance costs.”  The Treasury suggests that federal banking regulators take action to resolve this ambiguity.
  • Third-party data aggregators should be treated as “consumers.”  Section 1033 of the Dodd-Frank Act provides “consumers” a right to access certain account information electronically upon request.  Treasury recommends that this section be interpreted so that “third parties properly authorized by consumers, including data aggregators and consumer fintech application providers, fall within the definition of ‘consumer’… for the purpose of obtaining access to financial account and transaction data.”
  • Data security addressed by GLBA Safeguards Rule. The report assumes that “data aggregators and consumer fintech application providers are subject to the Gramm-Leach-Bliley Act (GLBA)” and that “the Safeguards Rule appropriately addresses” data security concerns with data aggregation activities.  To the extent additional regulatory or legislative measures are considered to address data aggregation data security issues, the Treasury suggests that such activities occur at the federal level rather than the state level to ensure uniformity.
  • Other financial regulators should support data aggregation. The report suggests that regulators in addition to the BCFP should take steps to enhance data aggregation activities, including the Securities and Exchange Commission, the Financial Industry Regulatory Authority, Department of Labor, and state insurance regulators.

On September 20, 2018, from 12 p.m. to 1 p.m. ET, Ballard Spahr will conduct a webinar, “More Than Just Fintech: What Are the Important Takeaways for All Consumer Financial Services Providers from Treasury’s Sweeping Report?”  A link to register is available here.




Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements.  As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

On Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET, Ballard Spahr attorneys will hold a webinar to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance.  Click here to register.

For a discussion of the new law’s most notable provisions, see our legal alert.


Arizona Governor Doug Ducey signed HB 2154 into law on April 11, 2018, amending and strengthening the state’s data breach notification law. Notably, the amended law significantly expands the definition of “personal information” to include a number of new data elements, including online account credentials, certain health information, and biometric data used to authenticate an individual when the individual accesses an online account.  The amended law also requires that notice be provided within 45 days after a determination that a “security system breach” has occurred and adds an obligation to notify the Arizona Attorney General and nationwide consumer reporting agencies if the security system breach involves more than 1,000 individuals.

On April 25, 2018, from 1 p.m. to 2 p.m. MT, Ballard Spahr attorneys will hold a webinar—Arizona Strengthens and Expands Data Breach Notification Law.  The webinar registration form is available here.

Click here for the full alert.

Alabama officially joined the data breach notification party last month when the state’s governor signed a data breach notification law that will take effect on June 1, 2018.  Although Alabama was the last state in the country to enact such a law, its new law will immediately take its place among the most stringent in the nation.

For a summary of the law’s provisions, see our legal alert.


In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

Appearing before the House Financial Services Committee yesterday at a hearing entitled “The Annual Report of the Financial Stability Oversight Council”  (FSOC), Treasury Secretary Mnuchin indicated that he intends to discuss the CFPB’s handling of its investigation of Equifax’s massive 2017 data breach with the FSOC.

We blogged yesterday about Reuters’ report that that the CFPB’s investigation has sputtered since it was authorized by former CFPB Director Cordray shortly after Equifax revealed the data breach.  We commented that the Reuters report was not surprising since there is substantial doubt as to whether the CFPB has enforcement jurisdiction over data breaches.  We also noted that even though the CFPB appears not to be involved in the Equifax matter, this has not stopped the FTC and state attorneys general from aggressively pursuing their own investigations.

Secretary Mnuchin’s statement that he plans to discuss the CFPB’s investigation with both the FSOC and Mick Mulvaney, President Trump’s designee as CFPB Acting Director, was made in response to concerns expressed by a Committee member about the CFPB’s inaction.  The FSOC, which was established by the Dodd-Frank Act to analyze and mitigate potential threats to the financial sector, is comprised of representatives from each of the federal financial regulators, including the CFPB.

The Consumer Law & Policy Blog, in a blog post today, quoted a CFPB spokesperson who stated that reports that the CFPB is not looking into the Equifax data breach and Equifax’s response are incorrect.  The blog post also referenced an American Banker article that suggested that the CFPB is taking a backseat to the FTC, the lead investigator, and rather than abandoning its investigation, may in fact be coordinating with the FTC.