In last week’s podcast episode, we were joined by Alex Johnson, Founder of Fintech Takes, and Paige Paridon, Senior Vice President, Senior Associate General Counsel & Co-Head of Regulatory Affairs at Bank Policy Institute, to take a deep dive into the new Consumer Financial Protection Bureau Open Banking Rule.

The CFPB has issued a groundbreaking final rule implementing Section 1033 of the Dodd-Frank Act, significantly expanding consumer access to their financial data.… Continue Reading

On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) published its long-anticipated proposed rule aimed at regulating data brokers under the Fair Credit Reporting Act (FCRA).  Although the CFPB’s future is uncertain under the upcoming administration, if implemented, the rule would significantly expand the reach of the FCRA. 

In the accompanying press release, the CFPB stated that its “proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including” national security and surveillance risks; criminal exploitation; and violence, stalking, and personal safety threats to law enforcement personnel and domestic violence survivors. … Continue Reading

In Mortgagee Letter 2024-10, FHA announced a requirement for FHA approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents. The Mortgagee Letter, which is dated May 23, 2024, provides that the requirement is effective immediately.

For purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”… Continue Reading

On October 27, the Federal Trade Commission (“FTC”) unanimously voted to amend the Safeguards Rule to require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report data breaches and security events to the Agency. This amendment will become effective 180 days after its publication in the Federal Register.… Continue Reading

California continues to be at vanguard of data privacy rights.  The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians.  The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis.… Continue Reading

On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as in effect on July 1, 2023.… Continue Reading

On January 12, 2023, the Consumer Financial Protection Bureau (“CFPB”) issued a report highlighting an increase in reported incidents of identity theft by servicemembers.  The report, titled “Servicemember reports about identity theft are increasing,” cited to data from the Federal Trade Commission (“FTC”) that showed nearly 50,000 cases of identity theft involving military consumers (including servicemembers, veterans, and their family members) in 2021. … Continue Reading

In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information.  The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements.  Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading

On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.

The FTC approved changes to the longstanding Safeguards Rule in October 2021. … Continue Reading

In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data.  Although the action arose out of a common security failure—the sort that has been the subject of numerous prior FTC consent decrees—the enforcement requirements extend beyond the standard implementation of an information security program.… Continue Reading