Welcome to the Data Privacy and Cybersecurity chapter of our annual report Consumer Financial Services 2023 Year in Review.

Looking Ahead to 2024

Amendments to key rules and regulations will take effect in 2024, promising a steady volume of enforcement in the data privacy and cybersecurity space.

Continued rulemaking and increased reporting obligations for cybersecurity incidents signal regulatory attention and enhanced expectations for companies in the financial services industry.

Appellate courts will begin to weigh in on session replay data privacy litigation.

Key Trends From 2023

In 2023, Goodwin tracked six enforcement actions in the data privacy area, all in New York. This increase in activity indicates that regulators are poised to continue the trend of rigorous scrutiny of data security and privacy practices of companies in the financial services industry.

In the News

Updates to the FTC's Safeguards Rule

In June 2023, the remainder of the FTC amendments to the Safeguards Rule took effect after several extensions of the effective date caused by challenges from the COVID-19 pandemic. These amendments include requirements for financial institutions related to training, encryption, and multi-factor authentication (MFA), among others. In addition, in October 2023, the FTC announced a new finalized amendment to the Safeguards Rule that will require financial institutions subject to the Rule to report "notification events" that result in the "unauthorized acquisition of unencrypted customer information, involving at least 500 customers" within 30 days of discovery. The FTC will publicly publish the online form that each company must submit.

NYDFS Finalizes Its Second Amendment to Part 500

In November 2023, after publishing two drafts for notice and comment, the New York Department of Financial Services (NYDFS) finalized its second amendment to New York's cybersecurity regulation, Part 500. The final amendment substantially increases the requirements for covered entities, including those related to cybersecurity governance, vulnerability management, access privileges and management, MFA, monitoring and training, incident response and business continuity management, and incident notifications, among others. The amendments also impose additional obligations on "class A companies," a new subset of covered entities, including to "design and conduct independent audits" of their cybersecurity programs based on their "risk assessments," monitor privileged access activity, and implement an endpoint detection and response solution to monitor anomalous activity as well as a solution that centralizes logging and security event alerting. The NYDFS has posted cybersecurity-related resources on its website, including training sessions and FAQs related to these updates and timelines that outline the various effective dates.

SEC Finalized and Proposed Rules

In July 2023, the US Securities and Exchange Commission (SEC) adopted final rules aimed at standardizing and enhancing disclosures relating to cybersecurity incidents and risk management processes for all public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The new rule requires public companies to disclose any cybersecurity incidents in a Form 8-K within four business days of the company's determination that the incident is "material." Also within four business days, public companies are required to file an amendment to their Form 8-K filing if certain required information was not available at the time of the initial filing. In addition, such companies must file an annual Form 10-K describing cybersecurity risk management policies and procedures, governance practices, and board-level cybersecurity expertise. The SEC also adopted rules requiring foreign private issuers to make comparable disclosures. The final rules became effective on December 18, 2023.

In March 2023, the SEC reopened the comment period for its proposed rules related to cybersecurity risk management for registered investment advisers, investment companies, and business development companies (funds). These proposed rules would require advisers and funds to adopt and implement written cybersecurity policies and procedures to address certain cybersecurity risks. They would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form.

Executive Order on AI

In October 2023, the Biden administration issued an executive order on AI that articulates new standards for AI safety and security to protect Americans from the risks of AI systems, including with respect to privacy and cybersecurity. In relevant part, the order calls on Congress to pass bipartisan data privacy legislation to protect all Americans, especially children, and directs actions related to the strengthening of federal support for policy and technical tools, including privacy-preserving techniques. The order also requires federal agencies to assess potential AI-related cybersecurity vulnerabilities and promulgate best practices for guarding against cybersecurity risks. In addition, the order identifies risk mitigation activities relating to the financial services sector and requires the Secretary of the Treasury to issue a public report on best practices for financial institutions to manage AI-specific cybersecurity risks within 150 days. Many of the initiatives in the order require congressional action before taking effect.

California Releases Draft Automated Decision-Making Technology Regulations

In December 2023, the California Privacy Protection Agency (CPPA) released draft Automated Decisionmaking Technology Regulations that would require businesses to offer consumers opt-out rights, pre-use notices, and access rights regarding businesses' use of automated decision-making technologies to process consumer data. The Regulations define automated decision-making technology broadly as "any system, software, or process ... that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making," which includes profiling. The draft also proposes potential options for additional consumer protections related to the use of personal information to train these technologies. The CPPA expects to begin formal rulemaking in 2024.

State Privacy Laws

In July 2023, a California court order delayed enforcement of the implementing regulations for the California Privacy Rights Act (CPRA) of 2020, which amended the California Consumer Privacy Act (CCPA), until March 29, 2024. Additionally, several comprehensive state privacy acts officially took effect in January 2023, including in Utah, Virginia, Colorado, and Connecticut. A number of other states have enacted similar laws that will take effect in 2024. All of these currently effective or enacted laws either exempt financial institutions from complying with these laws altogether or exempt data — namely nonpublic personal information (NPI) that is subject to the Gramm-Leach-Bliley Act — from the scope of the laws.

Data Security Class Actions

In 2023, there was an uptick in putative class actions relating to data security breaches compared to 2022. The surge in such actions may result from breaches from file-sharing and other similar programs that companies utilize, such as in the May 31, 2023, breach involving the file transfer software MOVEit, which resulted in unauthorized access to more than 600 organizations and the filing of more than 100 putative class actions against dozens of entities. Further, cybercrime continues to proliferate as bad actors adopt more sophisticated methods to infiltrate organizations, such as techniques designed to bypass MFA and social engineering tactics that are increasingly difficult to detect. The potential for more widespread use of generative AI to circumvent security protocols may pose additional challenges as the tools become more mainstream.

2023 Enforcement Highlights

In 2023, the NYDFS announced the execution of six new consent orders for alleged violations of Part 500. The department entered into consent orders with a cryptocurrency exchange platform, a bitcoin payment service provider, BitFlyer USA, OneMain Financial Group, SA Stone Wealth Management, and First American Title Insurance, which resulted in penalties of $100 million, $1 million, $1.2 million, $4.25 million, $1.35 million, and $1 million, respectively. These consent orders continue the NYDFS's pattern of entering into consent orders that combine allegations of violations of Part 500 with allegations of violations stemming from the Virtual Currency Regulation. This trend also helps explain the vast range in size of financial penalties. These latest consent orders reinforce the Department's focus on key enforcement priorities, including the importance of implementing comprehensive risk assessments, limiting user access privileges, carrying out cybersecurity training, timely notifying the NYDFS of any cyber events, and securely disposing of NPI that is no longer necessary.

Click to access all 12 chapters of our Consumer Financial Services 2023 Year in Review, including a market overview about the industry overall and chapters on 11 industry segments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.