As anticipated, the OCC, Federal Reserve Board, and FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”).  The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.    

Continue Reading

The FTC’s final rule released last week amending its Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) will require significant changes in data security policies and procedures to be made by non-bank financial institutions covered by the Safeguards Rule.  Such institutions include finance companies, mortgage companies and brokers, motor vehicle dealers, small-dollar lenders, and debt collectors.… Continue Reading

The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.)  The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.

The Guidance contains risk management principles and practices that can support a financial institution’s authentication of (1) users accessing the financial institution’s information systems, including employees, board members, third parties, service accounts, application, and devices (collectively, users) and (2) business and consumer customers (collectively, customers) authorized to access digital banking services.  … Continue Reading

Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation.  The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase.  The publication of CyberLitigation comes at an important moment as the U.S.… Continue Reading

In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing.

The case is McMorris v. Carlos Lopez & Associates, LLP (CLA). … Continue Reading

On March 3rd, the New York Department of Financial Services (“NYDFS”) announced a settlement with Residential Mortgage Services, Inc. (“RMS”) to resolve allegations that RMS violated the NYDFS Cybersecurity Regulation relating to a 2019 cyber breach.

In July 2020, NYDFS conducted an examination of RMS as a licensed mortgage banker. … Continue Reading

Subscribers to each service will receive weekly emails and have the opportunity to discuss developments in each area during a monthly call.  Additionally, subscribers will be enrolled in an interactive, searchable, online database that enables subscribers to have 24-hour access to our information and analysis.

To further educate our current subscribers and anyone else interested in subscribing to the trackers about how to maximize the online database, we will be offering preview sessions to provide training on the various tools available through the dashboard, such as the interactive map and the search functions that will allow information to be sorted by topic, jurisdiction, date, and for the FCRA tracker, by federal court and counsel for plaintiffs.… Continue Reading

On December 15th, the FTC announced in a press release that it had reached a settlement with a mortgage industry data analytics company to resolve allegations in the FTC’s administrative complaint that the company had failed to ensure one of its vendors was adequately securing personal data about tens of thousands of mortgage holders under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. … Continue Reading

On December 18, 2020, the Office of the Comptroller of the Current (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC) announced an interagency notice of proposed rulemaking that would require supervised banking organizations to provide notification of significant computer security incidents to their primary federal regulator.  Under the proposed rule, for incidents that could result in a banking organization’s inability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector, the banking organization must notify its primary federal regulator no later than 36 hours after determining an incident has occurred. … Continue Reading

On November 9, 2020, the Federal Trade Commission (FTC) announced in a press release that it had reached a settlement with Zoom Video Communications, Inc. (Zoom) to resolve allegations that Zoom had engaged in unfair and deceptive acts with regard to its video conferencing services.  Financial institutions and other companies that allowed remote workers to utilize this platform should carefully assess what impact this consent order may have and what changes may need to be made to protect virtual business meetings going forward.… Continue Reading