The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading
Data Security
This week’s podcast: The Federal Trade Commission’s updated Gramm-Leach-Bliley Act Safeguards Rule – What you need to know
The FTC’s recently updated rule implementing GLB standards for safeguarding customer information replaces the flexibility previously given to financial institutions in developing an information security program with new prescriptive requirements. Our discussion topics include what these new requirements mean for specific aspects of such programs, assigning employee responsibility, conducting risk assessments, installing access controls, using encryption, and who is covered by the rule. … Continue Reading
This week’s podcast: A close look at the final rule requiring notification of ransomware and similar computer-security incidents issued by the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corporation
We discuss the new notification requirements that the final rule places on both U.S. banking organizations and bank service providers relating to ransomware and similar computer security incidents, including the mandated timing for providing notice, and how the final rule differs from the agencies’ proposal. We also look at the compliance challenges presented by the final rule and offer suggestions for covered entities to consider in preparing for compliance with the new requirements.… Continue Reading
Federal financial regulators tighten timelines for reporting ransomware attacks
As anticipated, the OCC, Federal Reserve Board, and FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”). The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic. It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.
FTC makes significant changes to GLBA Safeguards Rule, requests comment on breach reporting, and adopts final privacy rule for motor vehicle dealers
The FTC’s final rule released last week amending its Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) will require significant changes in data security policies and procedures to be made by non-bank financial institutions covered by the Safeguards Rule. Such institutions include finance companies, mortgage companies and brokers, motor vehicle dealers, small-dollar lenders, and debt collectors.… Continue Reading
FFIEC issues updated guidance on authentication and access
The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.) The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.
The Guidance contains risk management principles and practices that can support a financial institution’s authentication of (1) users accessing the financial institution’s information systems, including employees, board members, third parties, service accounts, application, and devices (collectively, users) and (2) business and consumer customers (collectively, customers) authorized to access digital banking services. … Continue Reading
Ballard Spahr partner, Phil Yannella, authors book on data breach and privacy litigation
Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation. The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase. The publication of CyberLitigation comes at an important moment as the U.S.… Continue Reading
Second Circuit ruling clarifies when data breach plaintiffs have adequately pleaded Article III standing
In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing.
The case is McMorris v. Carlos Lopez & Associates, LLP (CLA). … Continue Reading
NYDFS penalizes mortgage company for cyber breach
On March 3rd, the New York Department of Financial Services (“NYDFS”) announced a settlement with Residential Mortgage Services, Inc. (“RMS”) to resolve allegations that RMS violated the NYDFS Cybersecurity Regulation relating to a 2019 cyber breach.
In July 2020, NYDFS conducted an examination of RMS as a licensed mortgage banker. … Continue Reading
Ballard Spahr offering preview sessions of its Collections, Credit Reporting, and Privacy and Data Security national tracking services
Subscribers to each service will receive weekly emails and have the opportunity to discuss developments in each area during a monthly call. Additionally, subscribers will be enrolled in an interactive, searchable, online database that enables subscribers to have 24-hour access to our information and analysis.
To further educate our current subscribers and anyone else interested in subscribing to the trackers about how to maximize the online database, we will be offering preview sessions to provide training on the various tools available through the dashboard, such as the interactive map and the search functions that will allow information to be sorted by topic, jurisdiction, date, and for the FCRA tracker, by federal court and counsel for plaintiffs.… Continue Reading