Photo of Ashley Matthews

Ashley advises retailers and financial institutions with respect to consumer financial services, privacy and security, and governance matters.

This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.

What is the Safeguards Rule?

The Safeguards Rule, which originally became effective in May 2003, long had a small bark and an even tinier bite.  The rule required covered entities to develop, implement, and maintain a comprehensive written information security program with “appropriate” safeguards.  With no private right of action and a breathtaking lack of specificity, this requirement was treated as little more than a suggestion by many covered entities.  Continue Reading Don’t Forget: It’s Time to Notify the FTC of Your Data Breach

Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”

Continue Reading Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too

The New York Department of Financial Services (“NYDFS”) has issued a series of Industry Letters requiring regulated institutions to submit information regarding plans to manage risks associated with the novel coronavirus (“COVID-19”).  The Letters request descriptions of the entities’ planned responses to a variety of threats posed by COVID-19, including heightened cybersecurity risks.

The four Industry Letters issued by the NYDFS are directed to various regulated entities and require responses regarding the entities’ prospective responses to COVID-19.  Among the required responses are those regarding the regulated entities’ strategies to address specific cybersecurity-related risks, including:Continue Reading NYDFS Seeks Assurances from Regulated Entities in the Wake of COVID-19

Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued its proposed rule amending the Gramm-Leach-Bliley Act’s annual privacy notice requirement set forth in Regulation P.

The rule is in response to Congress’ December 2015 amendment to the act, which eliminated the need for certain companies to provide annual privacy disclosures to consumers.  Under the

In late 2015, Congress passed the Fixing America’s Surface Transportation Act − a vehicle for an amendment to the Gramm-Leach-Bliley Act (GLBA) meant to eliminate the need for certain companies to provide annual privacy disclosures to consumers.

The amendment, which took effect immediately, eliminates the annual notice requirement for financial institutions that:

  1. do not share

privacy-policy

A recent blog published in the Yale Journal of Law & Technology highlights rising concerns that use of anonymized “big data” can cause just as many societal problems as use of non-anonymized consumer data.

According to the blog, a consumer’s name, address and social security number can become irrelevant when organizations can otherwise draw “highly

The Federal Financial Institutions Examination Council (FFIEC) recently issued an assessment tool meant to assist financial institutions in the detection of cybersecurity vulnerabilities and the prevention of cyber attacks.

Shredded Paper

The FFIEC is an interagency body that develops the principles and standards used by agencies and organizations empowered to examine financial institutions, such as the Consumer

Google icon - reuse rightsLast week Google unveiled a redesigned “My Account” page that consolidates all of a customer’s privacy and security options in one location.

The redesigned account page does not offer any additional privacy or security options over those previously offered. Instead, it consolidates all of Google’s privacy and security settings, thus making it easier for a

The Federal Trade Commission (FTC) recently announced formation of its Office of Technology Research and Investigation (OTRI), an office meant to “ensure that consumers enjoy the benefits of technological progress without being placed at risk of deceptive and unfair practices.” The office is meant to expand the scope of work previously conducted by the FTC’S

The FTC’s recent settlement with a medical online payments company and its former CEO highlights the importance of using clear and non-deceptive notices when asking consumers to share or provide sensitive personal health information.

The FTC alleged that Atlanta-based PaymentsMD, LLC used deceptive methods to obtain permission from consumers to collect highly sensitive personal health