On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers.
Continue Reading SEC Fines Morgan Stanley $35 Million for Alleged Failure to Protect Customer Data

On August 10, 2022, the Consumer Financial Protection Bureau issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010.
Continue Reading New CFPB Interpretive Rule Targets Digital Marketing Providers

On July 29, 2022, the New York Department of Financial Services posted proposed amendments to its Cybersecurity Requirements for Financial Services Companies. This blog entry provides highlights of the amendments.
Continue Reading Proposed Amendments to NY Financial Services Cybersecurity Regulations Impose New Obligations on Large Entities, Boards of Directors and CISOs

On June 24, 2022, the New York State Department of Financial Services announced it had entered into a $5 million settlement with Carnival Corp., the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.
Continue Reading NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches

On January 4, 2022, the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability.
Continue Reading FTC Puts Companies on Notice that Failure to Identify and Patch Instances of Log4j May Violate FTC Act

Earlier this month, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC over alleged violations of the FTC Act and Fair Credit Reporting Act. The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.
Continue Reading FTC Settles with Loan Application Company Over Alleged Misuse of Sensitive Personal Information

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule requiring U.S. banks to notify federal regulators within 36 hours of determining that a computer-security incident meeting certain criteria has occurred. The rule also requires bank service providers to notify affected banks “as soon as possible” when the service provider determines that a computer-security incident has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
Continue Reading Federal Regulators Issue New Cyber Incident Reporting Rule for Banks