Alabama officially joined the data breach notification party last month when the state’s governor signed a data breach notification law that will take effect on June 1, 2018. Although Alabama was the last state in the country to enact such a law, its new law will immediately take its place among the most stringent in the nation.… Continue Reading
data security
OIG finds incomplete CFPB response to unaccounted-for-laptops
The CFPB’s Office of Inspector General has issued a report indicating that, in performing an audit of the CFPB’s encryption of data on mobile devices issued to staff members, the OIG found the CFPB had not yet completed all of the steps previously identified by the OIG to address the risk created by unaccounted-for-laptops. … Continue Reading
FTC Releases Annual Privacy and Data Security Update
The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues. In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras). … Continue Reading
FTC Privacy and Data Security Enforcement Activity Continues Unabated under the Trump Administration
Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.” … Continue Reading
CFPB Management Challenges Include Information Security
On September 29th, the Office of the Inspector General (OIG) that oversees the CFPB released a memorandum detailing the major management challenges facing the CFPB. The memo identified four areas of improvement that, unless addressed, would otherwise hamper the CFPB’s ability to accomplish its strategic objectives:
- Ensuring an Effective Information Security Program
- Ensuring Comprehensive Policies and Procedures Are in Place and Followed
- Maturing the Human Capital Program
- Managing and Acquiring Sufficient Workspace to Support CFPB Activities
Despite the vast quantities of consumer information being collected by the CFPB as part of its consumer protection mission, the CFPB has not fully implemented an information security continuous monitoring program, including a comprehensive data loss prevention system and oversight of contractor-operated information systems. … Continue Reading
CFPB brings its first data security enforcement action
Last August, we blogged about a Third Circuit decision that held the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act. In our blog post, we commented that banks and other companies subject to the CFPB’s jurisdiction faced the possibility that the CFPB could begin using its Dodd-Frank authority to bring enforcement actions against companies engaged in unfair, deceptive, and abusive acts and practices (UDAAP) to regulate cybersecurity policies and procedures. … Continue Reading
Company prevails in challenge to FTC data security complaint
As we have previously observed, banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.
For companies also subject to the FTC’s jurisdiction, the threat of FTC regulation of their cybersecurity policies and procedures became significantly more imminent as a result of the Third Circuit’s August 2015 decision in FTC v.… Continue Reading