Toward 2024
Major rule and regulatory amendments will come into effect in 2024, promising a steady amount of enforcement in the areas of data privacy and cybersecurity.
Continued rulemaking and increased reporting requirements for cybersecurity incidents demonstrate increased regulatory attention and expectations for companies in the financial services industry.
The Court of Appeals will begin considering the Session Replay data privacy case.
Key trends from 2023 onwards
In 2023, Goodwin tracked all six enforcement actions in the data privacy space. All took place in New York. This increase in activity indicates that regulators are poised to continue the trend of closely monitoring the data security and privacy practices of companies in the financial services industry.
on the news
FTC Safeguards Rule Updates
The remaining FTC amendments to the safeguard rule became effective in June 2023, after the effective date was extended several times due to challenges caused by the COVID-19 pandemic. These amendments include requirements for financial institutions related to training, encryption, multi-factor authentication (MFA), and more. Additionally, in October 2023, the FTC required financial institutions subject to the Safeguards Rule to report “notification events” that result in the “unauthorized acquisition of unencrypted customer information involving at least 500 customers.” Announced new final amendments to safeguard regulations requiring reporting. ” within 30 days of discovery. The FTC will publish an online form that each company must submit.
NYDFS Finalizes Second Amendment to Part 500
In November 2023, after publishing two drafts for notice and comment, the New York Department of Financial Services (NYDFS) finalized the Second Amendment to New York State Cybersecurity Regulations Part 500. The final amendments significantly strengthen the requirements for covered entities, including related entities. Applies to cybersecurity governance, vulnerability management, access rights and controls, MFA, monitoring and training, incident response and business continuity management, incident notification, and more. The amendments also require a new subset of covered entities, “Class A companies,” to “design and conduct independent audits” of their cybersecurity programs based on “risk assessments,” and oversight of privileged access activities. , imposes additional obligations such as implementing endpoints. A detection and response solution that monitors anomalous activity and a solution that centralizes logging and security event alerts. NYDFS has posted cybersecurity-related resources on its website, including training sessions and FAQs related to these updates, as well as a timeline outlining the various effective dates.
SEC Final and Proposed Rules
In July 2023, the U.S. Securities and Exchange Commission (SEC) issued a final document aimed at standardizing and enhancing disclosures regarding cybersecurity incidents and risk management processes for all public companies subject to the reporting requirements of the Securities Exchange Act of 1934. Rules have been adopted. The new rules require public companies to disclose a cybersecurity incident on Form 8-K within four business days after the company determines that the incident is “material.” Additionally, a public company must file an amendment to his Form 8-K filing within four business days if certain required information was not available at the time of the initial filing. In addition, such companies must file an annual Form 10-K that describes their cybersecurity risk management policies and procedures, governance practices, and board-level cybersecurity expertise. The SEC also adopted rules requiring foreign private issuers to make comparable disclosures. The final rule will become effective on December 18, 2023.
In March 2023, the SEC reopened a comment period on proposed rules regarding cybersecurity risk management for registered investment advisers, investment companies, and business development companies (funds). These proposed rules would require advisors and funds to adopt and implement written cybersecurity policies and procedures to address certain cybersecurity risks. It will also require advisers to report to the European Commission on a new confidential form any significant cybersecurity incidents affecting them, their funds or private fund clients.
Executive Order on AI
In October 2023, the Biden administration issued an executive order on AI, establishing new standards for AI safety and security to protect Americans from risks from AI systems, including privacy and cybersecurity. In relevant part, the order calls on Congress to pass bipartisan data privacy legislation to protect all Americans, especially children, and provides federal support for policy and technology tools, including privacy-preserving technologies. It instructs actions related to the reinforcement of The order also requires federal agencies to assess potential AI-related cybersecurity vulnerabilities and promulgate best practices to prevent cybersecurity risks. Additionally, the order identifies risk mitigation activities relevant to the financial services sector and requires financial institutions to issue a public report within 150 days on best practices for managing AI-specific cybersecurity risks. requires the Secretary of the Treasury to Many of the initiatives included in this order require action by Congress before they go into effect.
California releases draft automated decision technology regulations
In December 2023, the California Privacy Protection Agency (CPPA) released the Draft Automated Decision Technology Regulations. It requires businesses to provide consumers with opt-out rights, pre-use notice, and access rights regarding businesses’ use of automated decision-making technology. Consumer data. The regulation defines automated decision-making technology as “any system that processes personal information and uses computation, in whole or in part, to make or carry out decisions or facilitate human decision-making.” , software, or process.” This includes profiling. . The draft proposal also proposes potential options for additional consumer protections related to the use of personal information to train these technologies. The CPPA plans to begin formal rulemaking in 2024.
state privacy laws
In July 2023, a California court order delayed implementation of the 2020 California Privacy Rights Act (CPRA) Implementing Regulations, which amend the California Consumer Privacy Act (CCPA), until March 29, 2024 . In addition, several comprehensive state privacy laws have also been enacted. It officially went into effect in January 2023, including in Utah, Virginia, Colorado, and Connecticut. Similar laws have been enacted in many other states and are expected to go into effect in 2024. All laws currently in force or enacted either completely exempt financial institutions from complying with these laws or exempt data, i.e. non-public personal information (NPI), from being subject to regulation. Gramm-Leach-Bliley Act — from the scope of the law.
data security class action lawsuit
In 2023, there was an increase in putative class actions related to data security breaches compared to 2022. This surge in lawsuits may be due to breaches by file sharing and other similar programs utilized by companies, such as the May 31, 2023 class action lawsuit. Infringement related to file transfer software MOVEit. As a result, more than 600 organizations were compromised and more than 100 class actions were filed against dozens of organizations. Additionally, cybercrime is increasing as bad actors adopt more sophisticated techniques to infiltrate organizations, including techniques designed to circumvent MFA and social engineering tactics that are becoming increasingly difficult to detect. continues to increase rapidly. The potential for more widespread use of generative AI to circumvent security protocols could pose further challenges as tools become more mainstream.
2023 Enforcement Highlights
In 2023, NYDFS announced the enforcement of six new consent orders for alleged Part 500 violations. The Department said $100 million, $1 million, $1.2 million, $4.25 million, and $135 million were awarded to virtual currency exchange platform, Bitcoin payment service provider BitFlyer USA, OneMain Financial Group, SA Stone Wealth Management, and First American Title Insurance, respectively. A fine of $1,000,000 and $1 million was imposed. These consent orders continue NYDFS’ pattern of entering into consent orders that combine alleged violations of Part 500 with alleged violations arising from virtual currency regulations. This trend also helps explain the wide range of fines. These updated consent orders emphasize the importance of conducting comprehensive risk assessments, limiting user access privileges, providing cybersecurity training, timely notification of cyber events to NYDFS, and secure disposal of NPIs that are no longer in use. It strengthens the Department’s focus on key enforcement priorities, including: need.
[View source.]