The FTC has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA).  The proposed changes are informed by the FTC’s enforcement experience and are intended to keep pace with technological developments.

The Safeguards Rule requires financial institutions to have a comprehensive information security program.  The proposed rule amendment will more clearly define the requirements for such information security programs.  Some of the proposed changes to the Safeguards Rule include:

  • Encryption of all consumer data,
  • Implementing access controls to prevent unauthorized users from accessing consumer information;
  • Implementing multifactor authentication to access consumer data, and
  • Requiring periodic reports submitted to the boards of directors to ensure compliance.

The proposed amendments to the Safeguards Rule will better align the rule with prevailing cyber security standards, such as the NY DFS cybersecurity regulations and the NIST framework.  The amendments are also designed to ensure that non-bank financial technology entities, fintechs, are subject to cybersecurity standards similar to those that banks are subject to under the FFIEC interagency guidelines.

Further, the Commission proposes to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to include companies engaged in activities “incidental to financial activities.”  The expansion includes “finders” or those who charge a fee to connect consumers looking for a loan to a lender.

While the proposed changes to the Safeguards Rule and Privacy Rule will provide more clarity for certain GLBA covered entities regarding the contours of their information security programs, the proposed expansion of the definition of financial institution may not be greeted with open arms by the companies not currently covered by the Safeguards Rule and the Privacy Rule.

The CFPB has issued a final rule amending the provisions of Regulation P that implement the Gramm-Leach-Bliley Act (GLBA) annual privacy notice requirement.  The final rule is intended to reflect the GLBA amendments made by the Fixing America’s Surface Transportation Act that exempted financial institutions meeting certain conditions from the annual notice requirement.  The statutory exemption from the annual notice requirement became effective in December 2015.  The amendments to Regulation P made by the final rule will be effective 30 days from the final rule’s publication in the Federal Register.

The final rule provides that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution (1) only shares nonpublic personal information (NPPI) with nonaffiliated third parties only under one of the GLBA exceptions that do not trigger a customer’s opt-out rights (§ 1016.13, § 1016.14, or § 1016.15); and (2) has not changed its policies and practices with regard to disclosing NPPI from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.  Financial institutions that choose to take advantage of the annual notice exemption must still provide any opt-out disclosures required under the Fair Credit Reporting Act (FCRA), which can generally be provided in the initial privacy notice.  In the Supplementary Information accompanying the final rule, the CFPB states that it does not interpret the second condition for using the annual notice exemption to include changes to a financial institution’s FCRA disclosures or changes to voluntary disclosures and opt-outs that are provided in the institution’s privacy notice.

The final rule includes timing requirements for providing annual privacy notices by a financial institution that no longer meets the conditions for the exemption.  The timing requirements vary depending on whether the change that causes the institution to no longer satisfy the conditions for the exemption also triggers a requirement under Regulation P to provide a revised privacy notice.  Under Regulation P, a financial institution must provide revised notices before it begins to share NPPI with a nonaffiliated third party if such sharing would be different from what the institution described in the initial privacy notice it delivered.

The final rule also removes the alternative delivery method for GLBA annual privacy notices that Regulation P (pursuant to a 2014 amendment) allowed financial institutions to use if they met certain conditions.  Since any financial institution that met the conditions for using the alternative delivery method would meet the conditions for the statutory exemption, the CFPB believes an institution with both options available to it would choose not to provide an annual privacy notice at all rather than provide it using the alternative delivery method.  However, the CFPB indicates in the Supplementary Information that financial institutions that qualify for the annual notice exemption can still, without affecting their eligibility for the exemption, choose to post privacy notices on their websites, provide privacy notices to consumers who request them, and notify consumers of the notices’ availability.


Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements.  As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

On Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET, Ballard Spahr attorneys will hold a webinar to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance.  Click here to register.

For a discussion of the new law’s most notable provisions, see our legal alert.


The Association of Corporate Counsel (ACC) Foundation has released The State of Cybersecurity Report (2018), underwritten by Ballard Spahr.  The report, subtitled “An In-House Perspective,” provides insights on corporate cybersecurity issues from more than 600 general counsel, chief legal officers, and other senior law department leaders at organizations worldwide.

The new report, which updates and builds on the 2015 edition that was also underwritten by Ballard Spahr, reflects the fact that companies experienced more breaches than ever in 2017—up 45% from 2016—as in-house counsel continue to increase the amount of attention—and money—spent on protecting sensitive online data.  It includes a self-assessment tool companies can use to assist their efforts.

For more about the report, click here.

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.”  Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”

Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”

Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories.  Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement.  Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.

Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices.  Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.

On July 1st, the CFPB proposed to amend Regulation P under the Gramm-Leach-Bliley Act (GLBA) to implement the statutory changes made by the Fixing America’s Surface Transportation Act (see prior post) that provided financial institutions that meet certain conditions with an exemption from the GLBA requirement to deliver annual privacy notices to customers.  The proposed changes would also establish timing requirements to begin re-delivering the annual privacy notices if a financial institution no longer qualifies for the exception.  Companies considering making changes to their privacy policies or practices should carefully assess the impact of the proposed rules.

The proposed rules would provide that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution:

  • Provides nonpublic personal information to nonaffiliated third parties only under one of the GLBA exceptions to the notice and opt-out requirements (§ 1016.13, § 1016.14, or § 1016.15); and
    Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.
  • The proposed rule would not affect the collection or use of consumers’ nonpublic personal information by financial institutions.  Nor does the new exception affect the requirement to deliver an initial privacy notice, so all consumers will continue to receive such initial notices describing the privacy policies of any financial institutions with which they do business.  Furthermore, financial institutions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the Fair Credit Reporting Act, which can generally be provided in the initial notice.

The CFPB is also proposing to remove its 2014 rule (as described in our prior post) that established an alternative delivery method for GLBA annual privacy notices. Because financial institutions that meet the conditions in Regulation P to use the alternative delivery method also would meet the conditions for the new statutory exemption, the CFPB has concluded that the alternative delivery method is no longer necessary as the CFPB believes that a financial institution that has both options available to it would choose not to send the annual privacy notice at all, rather than to deliver it pursuant to the alternative delivery method.  However, the CFPB notes that financial institutions that qualify for the new exemption may still choose to post privacy notices on their websites or deliver privacy notices to consumers who request them.

While a positive step forward in regulatory reform, the CFPB could have done this years ago during its 2014 rulemaking process.  However, an act of Congress was required to push the CFPB into making this common-sense change.

On January 11, Elena Babinecz, a CFPB attorney, spoke as part of a panel relating to the revised HMDA rule at the Winter Meeting of the Consumer Financial Services Committee of the Business Law Section of the American Bar Association.  Ms. Babinecz confirmed that the CFPB is engaged in a follow-up policymaking process to allow the public to provide input on privacy concerns relating to new data that those subject to HMDA’s reporting requirements are required to collect, record and report.

As we have previously reported, the new HMDA rule includes numerous new data points.  For example, Covered Institutions will be required to collect, record and report information about applicants and borrowers, including age, credit score, and debt-to-income ratios.  Moreover, for data collected in or after 2018, the new rule will require a Covered Institution to allow applicants to self-identify ethnicity or race using disaggregated ethnic and racial subcategories, which information will be reported accordingly.

Ms. Babinecz acknowledged that the CFPB received comments on the rule drawing attention to the fact that many of these new data points implicate important privacy rights.  We agree that privacy is a critical issue, and join those who have raised concerns about expansion of data points under the new rule.  For example, the new rule will require Covered Institutions to collect and record sensitive information about individuals, which will be accompanied by additional data security burdens.

The CFPB has not provided details on how it intends to ensure that the sensitive information about consumers that will be reported to, and maintained by, the CFPB will be protected from unauthorized access or disclosure.  Finally, while the public will be able to obtain HMDA data using the new Internet-based tool being built by the CFPB, what portion of the reported data will be made publicly available is still under consideration by the CFPB.

We look forward to learning more about the CFPB’s policymaking relating to data privacy under the new HMDA rule.