On January 4, 2022, the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability.
Continue Reading FTC Puts Companies on Notice that Failure to Identify and Patch Instances of Log4j May Violate FTC Act

Earlier this month, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC over alleged violations of the FTC Act and Fair Credit Reporting Act. The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.
Continue Reading FTC Settles with Loan Application Company Over Alleged Misuse of Sensitive Personal Information

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule requiring U.S. banks to notify federal regulators within 36 hours of determining that a computer-security incident meeting certain criteria has occurred. The rule also requires bank service providers to notify affected banks “as soon as possible” when the service provider determines that a computer-security incident has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
Continue Reading Federal Regulators Issue New Cyber Incident Reporting Rule for Banks

On November 14, 2021, the U.S. Department of the Treasury announced a bilateral cybersecurity partnership with the Israeli Ministry of Finance “to protect critical financial infrastructure and emerging technologies” and combat the use of ransomware. The initiative includes the launch of a U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity (the “Task Force”), which seeks to advance the twin goals of encouraging fintech innovation while protecting against cyber threats from nation-state and criminal actors.
Continue Reading U.S. Department of the Treasury Announces Partnership with Israel to Combat Ransomware

On October 21, 2021, the Consumer Financial Protection Bureau issued orders to Google, Apple, Facebook, Amazon, Square and PayPal requesting detailed information about their business practices in relation to payment systems they operate.
Continue Reading CFPB Orders Six Tech Companies to Provide Information on Payment Systems Data Practices

On October 27, 2021, the Federal Trade Commission announced significant amendments to the agency’s Safeguards Rule, which requires covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Safeguards Rule’s requirements.
Continue Reading FTC Announces Significant Updates to GLB Safeguards Rule

On July 13, 2021, federal bank regulators (the Board of Governors of the Federal Reserve System, the FDIC and the Office of the Comptroller of the Currency) requested public comment on proposed joint guidance regarding banking organizations’ management of risks related to relationships with third-party support and service providers. This blog entry provides highlights on the guidance.
Continue Reading Federal Banking Regulators Request Comment on Proposed Guidance for Third-Party Risk Management