FTC Hosts Its Second Annual “PrivacyCon” Event

On January 12, the FTC hosted its second annual “PrivacyCon”— a public forum promoted by the regulator in order to “expand collaboration among leaders from academia, research, consumer advocacy, and industry on the privacy and security implications of emerging technologies.” Throughout the day, speaker panels presented research and opened the floor to discussions addressing five major topic areas: (i) the Internet of Things (IoT) and big data; (ii) mobile privacy; (iii) consumer privacy expectations; (iv) online behavioral advertising; and (v) information security. Among other things, panelists discussed the possibility of using machine learning to automatically block or permit user tracking and information collection by applications and websites based on the user’s past practices. Many panelists also examined data “leakage” from devices and the possible privacy and security issues that are raised by such leakage.

full version of the agenda, including links to abstracts of the research being presented, as well as a video recording of the event, is available online. Additional research not present but submitted without a request for confidential treatment is also available here.


CFPB Launches Inquiry into Consumer Financial Data Access

On November 17, the CFPB formally announced the launch of an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. The CFPB has been investigating and assessing issues related to data access and technological innovation for some time, including through Project Catalyst .

As detailed in the Request for Information (Dkt No. CFPB-2016-0048) issued on November 17, the CFPB is focused on three main points of inquiry: (i) secure access for consumersi.e., are consumers able to securely access, and authorize others to securely access, their financial records? Are there any “business burdens” that must be addressed to provide access and use of financial records?; (ii) third-party riski.e., some financial institutions have expressed concern that providing third parties with access to records may compromise consumer privacy or put their funds at risk. The CFPB would like learn more about options for ensuring that financial records are securely obtained, stored and used; and (iii) consumer control — i.e., to what extent are consumers able to control how shared data is being used by third-parties with authorized access?  Are consumers able to limit the number of times those firms can access the data?

In prepared remarks delivered at a field hearing in Salt Lake City, UT, CFPB Director Richard Cordray explained: “The technology around digital financial records continues to develop and, so far, there are many unanswered questions about how the information is being shared, by and to whom, and how safely. As with any emerging industry, we are hearing about some bumps in the road. Both Fintech companies and financial institutions, as well as consumer groups, are describing to us the various challenges, risks and technological obstacles to further progress in this area.”


California AG Harris Launches New Consumer Privacy Tool

On October 14, California AG Harris released an online complaint form designed to help consumers report potential violations of the California Online Privacy Protection Act (CalOPPA). Pursuant to the CalOPPA, commercial websites and online services collecting consumer information are required to post privacy policies that include “the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the [policy’s] effective date.” As part of AG Harris’s “multi-pronged” effort to improve online privacy for consumers, the form will allow consumers to “crowdsource” privacy policy violations, thus “exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”


Special Alert: NYDFS Stakes Claim on Cybersecurity Regulation

On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”

Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.

The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.

Click here to view the full Special Alert.

* * *

Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.



FFIEC Revises Information Security Booklet

On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”