On January 12, 2023, the Consumer Financial Protection Bureau (“CFPB”) issued a report highlighting an increase in reported incidents of identity theft by servicemembers. The report, titled “Servicemember reports about identity theft are increasing,” cited to data from the Federal Trade Commission (“FTC”) that showed nearly 50,000 cases of identity theft involving military consumers (including servicemembers, veterans, and their family members) in 2021. … Continue Reading
Data Security
Pennsylvania amends data breach notification law
In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information. The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements. Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading
FTC extends deadline for updated Safeguards Rule by six months
On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.
The FTC approved changes to the longstanding Safeguards Rule in October 2021. … Continue Reading
FTC requires data minimization in Drizly enforcement action
In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data. Although the action arose out of a common security failure—the sort that has been the subject of numerous prior FTC consent decrees—the enforcement requirements extend beyond the standard implementation of an information security program.… Continue Reading
This week’s podcast episode: A look at recent Federal Trade Commission and Consumer Financial Protection Bureau privacy and data security initiatives
Our discussion examines the FTC’s Advanced Notice of Proposed Rulemaking relating to what it describes as “commercial surveillance” and the CFPB’s circular confirming that covered persons and service providers may violate the Consumer Financial Protection Act’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. We consider the ANPR’s scope, its areas of focus, and potential federal and state obstacles to the FTC’s initiative. … Continue Reading
CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice
On August 11, the CFPB published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.… Continue Reading
Unpacking the FTC’s Recent Blog Post Regarding Breach Notification

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading
This week’s podcast: The Federal Trade Commission’s updated Gramm-Leach-Bliley Act Safeguards Rule – What you need to know
The FTC’s recently updated rule implementing GLB standards for safeguarding customer information replaces the flexibility previously given to financial institutions in developing an information security program with new prescriptive requirements. Our discussion topics include what these new requirements mean for specific aspects of such programs, assigning employee responsibility, conducting risk assessments, installing access controls, using encryption, and who is covered by the rule. … Continue Reading
This week’s podcast: A close look at the final rule requiring notification of ransomware and similar computer-security incidents issued by the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corporation
We discuss the new notification requirements that the final rule places on both U.S. banking organizations and bank service providers relating to ransomware and similar computer security incidents, including the mandated timing for providing notice, and how the final rule differs from the agencies’ proposal. We also look at the compliance challenges presented by the final rule and offer suggestions for covered entities to consider in preparing for compliance with the new requirements.… Continue Reading
Federal financial regulators tighten timelines for reporting ransomware attacks
As anticipated, the OCC, Federal Reserve Board, and FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”). The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic. It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.