On October 27, the Federal Trade Commission (“FTC”) unanimously voted to amend the Safeguards Rule to require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report data breaches and security events to the Agency. This amendment will become effective 180 days after its publication in the Federal Register.… Continue Reading
data breach
Pennsylvania amends data breach notification law
In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information. The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements. Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading
Unpacking the FTC’s Recent Blog Post Regarding Breach Notification

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading
Second Circuit ruling clarifies when data breach plaintiffs have adequately pleaded Article III standing
In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing.
The case is McMorris v. Carlos Lopez & Associates, LLP (CLA). … Continue Reading
Equifax Reaches Historic $575 Million Settlement Agreement Arising from 2017 Data Breach
Equifax has agreed to pay $575 million to settle consumer as well as state and federal regulatory claims for its 2017 data breach. This is the largest data breach settlement to date.
2017 Data Breach
At the federal level, the FTC and CFPB both filed complaints against Equifax. The FTC complaint alleges Equifax was aware of a security vulnerability in a database containing consumer inquiries about their personal credit data.… Continue Reading
Proposed House Bill Would Set National Data Security Standards for Financial Services Industry
A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter.… Continue Reading
Arizona Strengthens and Expands Data Breach Notification Law
Arizona Governor Doug Ducey signed HB 2154 into law on April 11, 2018, amending and strengthening the state’s data breach notification law. Notably, the amended law significantly expands the definition of “personal information” to include a number of new data elements, including online account credentials, certain health information, and biometric data used to authenticate an individual when the individual accesses an online account. … Continue Reading
OR, NY, AL, and RI considering data breach legislation post-Equifax
In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers. Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.… Continue Reading
CFPB reportedly puts investigation of Equifax on ice while other government agencies press forward
Equifax announced on September 7, 2017 a massive data breach affecting an estimated 143 million consumers. Richard Cordray, the then Director of the CFPB, shortly thereafter authorized an investigation according to several media reports. Reuters reported yesterday that the investigation sputtered since then, according to several government and industry sources. That is not surprising since there is substantial doubt as to whether the CFPB has enforcement jurisdiction over data breaches. … Continue Reading
Equifax and the CFPB Arbitration Rule: A Tempest in a Teapot
The recent data breach disclosure by Equifax raised an outcry from consumer advocates trying to link the data breach to the Consumer Financial Protection Bureau’s (CFPB) final arbitration rule. They are portraying this cybersecurity incident as a prime example of why class actions are needed to protect consumers, hoping to persuade the U.S.… Continue Reading