Latest Articles

On August 17, 2018, the Bureau of Consumer Financial Protection published a final rule amending its Regulation P to include an exception to the Gramm-Leach-Bliley Act annual privacy notice obligation. Nearly three years ago, the Fixing America’s Surface Transportation Act (FAST Act) amended the GLBA to provide for such an exception. The CFPB has now caught up in order to ensure that Regulation P is consistent with the GLBA as amended. Although the final rule…
With the passage of the California Consumer Privacy Act of 2018 (AB 375), the United States now has its first truly sweeping privacy regime. On Thursday, June 28, 2018, California Governor Jerry Brown signed into law what is arguably the most expansive privacy legislation in U.S. history. The Act is the product of backroom wrangling between legislators, industry, and the primary sponsor of a ballot initiative by the same name. Proposed just last week as…
Financial institutions in the United States are no strangers to privacy regulations, particularly given the obligations imposed by the federal Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“SB1”).  More recently, financial institutions have been focused on whether and/or the extent to which the EU’s GDPR may apply to their U.S. operations.  Many financial institutions, however, have yet to consider an equally important U.S. privacy development—the California Consumer Privacy Act (“Act”), a ballot initiative likely to appear…
The massive Equifax breach continues to prompt responses from a wide-range of regulators. While this is not surprising in light of the scale and nature of the incident, a number of regulators are taking more aggressive and more public actions in just a short time following public announcement of the breach. While there is a long history of various regulators taking action following high-profile breaches, the speed of the regulatory response has been unique when…
On June 7, 2017, the Office of the Comptroller of the Currency issued frequently asked questions that supplement the OCC’s 2013 guidance entitled “Third-Party Relationships: Risk Management Guidance.” The 2013 Bulletin sets forth the OCC’s expectation for banks’ due diligence and ongoing monitoring of third-party service providers, including enhanced diligence and monitoring for third parties that support critical activities. While the FAQs affirm this guidance, they provide substantial flexibility for banks to right-size their approach…
On December 28, 2016, the New York State Department of Financial Services (NYDFS) released a significantly revised version of its controversial, proposed cybersecurity rules, initially proposed in September of last year. As we noted in our Client Alert at that time, the rules as originally proposed would have created one of the most comprehensive and detailed cybersecurity standards in the country, and would have created significant compliance and implementation challenges. As a result, the original…
On October 19, 2016, the Federal Deposit Insurance Corporation, the Federal Reserve Board and the OCC (collectively, the Agencies) released an Advanced Notice of Proposed Rulemaking (ANPR) laying out a framework for enhanced cyber risk management standards that the Agencies are considering requiring of certain “large and interconnected” financial institutions.  The Agencies have not yet proposed specific standards in a formal proposed rule.  Instead, the Agencies have laid out a framework that they are considering and…
On September 13, 2016, the New York State Department of Financial Services (NYDFS) proposed cybersecurity rules that, if finalized in their current form, would create one of the most comprehensive, detailed and onerous cybersecurity standards in the country. While the proposed rules would apply only to financial institutions subject to the NYDFS’s authority under New York law, this proposal is important for all companies. It highlights a trend that legislatures and regulators are revisiting decades-old…
On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) broke new ground (at least for the CFPB) when it released a consent order against Dwolla, Inc., an online payment platform, regarding data security. While in many respects the data security “message” sent by the CFPB is not a new one (e.g., companies must live up to their data security promises), the consent order is particularly noteworthy because it represents the CFPB’s first formal foray into the…
On December 1, 2015, House and Senate conferees reached a deal on a long-term highway bill, the “Fixing America’s Surface Transportation Act” (H.R. 22). While the bill’s more than 1,300 pages are largely focused on highway, transportation, and safety issues, the bill includes amendments to two federal financial privacy laws, the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”). In particular, the GLBA amendment would provide an exception to the annual…