On October 18, 2022, the New York State Department of Financial Services announced that EyeMed Vision Care LLC agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.
Continue Reading NYDFS Fines EyeMed $4.5 Million for Cybersecurity Violations

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers.
Continue Reading SEC Fines Morgan Stanley $35 Million for Alleged Failure to Protect Customer Data

On August 10, 2022, the Consumer Financial Protection Bureau issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010.
Continue Reading New CFPB Interpretive Rule Targets Digital Marketing Providers

On July 29, 2022, the New York Department of Financial Services posted proposed amendments to its Cybersecurity Requirements for Financial Services Companies. This blog entry provides highlights of the amendments.
Continue Reading Proposed Amendments to NY Financial Services Cybersecurity Regulations Impose New Obligations on Large Entities, Boards of Directors and CISOs

On June 24, 2022, the New York State Department of Financial Services announced it had entered into a $5 million settlement with Carnival Corp., the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.
Continue Reading NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches

On January 4, 2022, the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability.
Continue Reading FTC Puts Companies on Notice that Failure to Identify and Patch Instances of Log4j May Violate FTC Act

Earlier this month, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC over alleged violations of the FTC Act and Fair Credit Reporting Act. The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.
Continue Reading FTC Settles with Loan Application Company Over Alleged Misuse of Sensitive Personal Information