Data Privacy and Information

Security Compliance Requirements

Dena Somers, Esq.

dsomers@finregpartners.com
www.finregpartners.com

May 13, 2019

Biography
Dena Somers provides regulatory compliance and risk management consulting services to financial
institutions and companies in highly regulated industries nationwide. Previously, Dena served as General
Counsel/Chief Compliance Officer to a national mortgage servicing company, regional mortgage lender,
Fintech installment lender, and Payday lender/MSB. In private practice, she has represented both consumers
and financial institutions in a broad array of complex litigation matters for more than 15 years.
Dena also authors several compliance and risk management publications for LexisNexis Sheshunoff
including, Loan Policies Manual, Self-Paced Loan Documentation and Training, and Bank Teller Training
and provides guidance on the regulation of financial services as an attorney author for Lexis Practice
Advisor.
Legislative Framework
Data Protection Authority
GLBA Safeguards Rule
FTC Guidance
FFIEC Guidance
State Data Protection Laws

Agenda
Finreg Partners
www.finregpartners.com
Legislative Framework
○ Unlike other jurisdictions, the US does not have a dedicated data protection law, but instead
regulates primarily by industry, on a sector-by-sector basis.

○ These laws and regulations may be enforced by federal and state authorities, and many
provide individuals with a private cause of action.

○ The Federal Trade Commission is one of the primary federal agencies tasked with regulating
and protecting consumer privacy in the U.S.
Data Protection Authority
In the financial services context the CFPB and various financial services regulators have
adopted standards pursuant to the Gramm-Leach-Bliley Act that dictate how firms subject to
their regulation may collect, use and disclose non-public personal information.

Outside of the regulated industries context, the FTC is the primary federal privacy regulator.
Covered PII
The definition of PII varies depending on the underlying law or regulation.

❖ In the state security breach notification law context the definition of PII generally includes an
individual's name plus his or her social security number, driver's licence number, or financial
account number.

❖ In other contexts, such as FTC enforcement actions or GLB, the definition of PII is much broader.
GLBA Safeguards Rule
The Safeguards Rule requires financial institutions to 'develop, implement, and maintain a
comprehensive information security program' that contains administrative, technical and physical
safeguards designed to protect the security, confidentiality and integrity of customer information.

It sets forth five key elements of a comprehensive information security program:

● designation of one or more employees to coordinate the program;

● conducting risk assessments;
● implementation of safeguards to address risks identified in risk assessments;
● oversight of service providers; and
● evaluation and revision of the program in light of material changes to the FI's business.
FTC Security Guidance
In 2015, the FTC published guidance regarding data security best practices based on notable lessons
from the FTC’s past enforcement actions. See Start with Security: A Guide for Business, June 2015.

The FTC evaluates an information security program and related measures based on reasonableness of
the program in light of the type of data it is collecting, storing, or processing from consumers. Factors
include:
● Sensitivity of the data collected
● Volume of the data collected
● Size and complexity of the company’s business
● Cost of available tools to implement reasonable security measures
Recent FTC Enforcement Actions
Recent enforcement actions provide insight into how the FTC interprets unfair privacy and data security
practices, including:

● Modifying a software application or installing an application on consumer devices without

providing consumers advance notice and a chance to consent (In the Matter of Gen. Workings Inc.,
(F.T.C. Apr. 18, 2016))
● Failing to implement adequate data security measures and protocols to properly protect consumer
information (In re Credit Karma, Inc. (F.T.C. Aug. 13, 2014); In re Fandango, LLC, (F.T.C. Aug.
13, 2014)
● Failing to “develop, implement, or maintain a comprehensive information security program” that
was adequate to protect sensitive consumer PI (LabMD, 2015 )
Summary of FTC Guidance
DO NOT:
-Overcollect PI
-Store Information Longer than Required by a Legitimate Business Need
-Use PI Unless It Is Necessary

DO:
-Control Employee Access to PI
-Restrict Employee Access
-Ensure Adequate Remote Access Security
-Protect against Brute Force Attacks and Authentication Bypass
-Securely Dispose of Sensitive Data
FFIEC Guidance
An effective information security program includes the following:

● Risk identification
○ threats
○ vulnerabilities
● Risk measurement
● Risk mitigation
○ policies, standards, procedures
○ control types and implementation
○ inventory and classification of assets
● Risk monitoring and reporting
State Data Protection Laws
Laws in several US states, including California, impose general information security standards on
organisations that maintain personal information.

➔ Massachusetts Standards for the Protection of Personal Information

➔ New York Department of Financial Services Cybersecurity Regulation

➔ Nevada Encryption law

➔ California Consumer Privacy Act (CCPA)

Breach Notification Laws
● All 50 states the District of Columbia, the US Virgin Islands, Guam and Puerto Rico have enacted
breach notification laws

○ In addition to notification of individuals, the laws of 23 states also require notice to a state
regulator in the event of a breach, typically the state attorney general.

○ Although most state breach laws require notification only if there is a reasonable likelihood
that the breach will result in harm to affected individuals, a number of jurisdictions do not
employ such a harm threshold and require notification of any incident that meets their
definition of a breach.