California continues to be at vanguard of data privacy rights. The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians. The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis.… Continue Reading
Data Security
Kansas Passes an Act Requiring Mortgage Companies, Supervised Lender, and Money Transmitters to Create Information Security Standards Consistent with GLBA’s Consumer Information Safeguard Rule
On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as in effect on July 1, 2023.… Continue Reading
New CFPB report highlights increase in servicemember identity theft incidents
On January 12, 2023, the Consumer Financial Protection Bureau (“CFPB”) issued a report highlighting an increase in reported incidents of identity theft by servicemembers. The report, titled “Servicemember reports about identity theft are increasing,” cited to data from the Federal Trade Commission (“FTC”) that showed nearly 50,000 cases of identity theft involving military consumers (including servicemembers, veterans, and their family members) in 2021. … Continue Reading
Pennsylvania amends data breach notification law
In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information. The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements. Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading
FTC extends deadline for updated Safeguards Rule by six months
On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.
The FTC approved changes to the longstanding Safeguards Rule in October 2021. … Continue Reading
FTC requires data minimization in Drizly enforcement action
In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data. Although the action arose out of a common security failure—the sort that has been the subject of numerous prior FTC consent decrees—the enforcement requirements extend beyond the standard implementation of an information security program.… Continue Reading
This week’s podcast episode: A look at recent Federal Trade Commission and Consumer Financial Protection Bureau privacy and data security initiatives
Our discussion examines the FTC’s Advanced Notice of Proposed Rulemaking relating to what it describes as “commercial surveillance” and the CFPB’s circular confirming that covered persons and service providers may violate the Consumer Financial Protection Act’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. We consider the ANPR’s scope, its areas of focus, and potential federal and state obstacles to the FTC’s initiative. … Continue Reading
CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice
On August 11, the CFPB published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.… Continue Reading
Unpacking the FTC’s Recent Blog Post Regarding Breach Notification

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading
This week’s podcast: The Federal Trade Commission’s updated Gramm-Leach-Bliley Act Safeguards Rule – What you need to know
The FTC’s recently updated rule implementing GLB standards for safeguarding customer information replaces the flexibility previously given to financial institutions in developing an information security program with new prescriptive requirements. Our discussion topics include what these new requirements mean for specific aspects of such programs, assigning employee responsibility, conducting risk assessments, installing access controls, using encryption, and who is covered by the rule. … Continue Reading