Category Archives: Financial Privacy

Bank Regulators Issue Advanced Notice of Proposed Rulemaking on Cyber Risk Governance and Management Regulations

Written by
More regulators (apart from the FTC) are now taking note of cybersecurity issues in the financial services industry and are taking steps to protect the industry and its consumers. Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) issued its first enforcement action on data security against an online payment system.   In June, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body, issued a press release advising financial institutions to review their risk-management practices.  Last month, the New York State Department of Financial [...] Read more

D.C. Circuit Holds CFPB is Unconstitutionally Constructed; Removes For-Cause Removal Protection from CFPB Director

Written by
On Tuesday, October 11, 2016, the D.C. Circuit Court issued its opinion in PHH Corp. v. Consumer Financial Protection Bureau, holding that the Consumer Financial Protection Bureau (CFPB) was unconstitutionally structured. In the majority opinion, Judge Kavanaugh described the position of CFPB Director as, in terms of unilateral authority, “the single most powerful official in the entire U.S. Government, other than the President.” (Maj. Opinion at 27). The Court’s ruling severs the for-cause removal protection provision for the Director from the Dodd-Frank Act, repositioning the CFPB as an [...] Read more

FTC PrivacyCon Event Examines Cutting-Edge Research and Current Policies Regarding Privacy and Data Security

Written by , and
The Federal Trade Commission held its PrivacyCon event, featuring nineteen presentations showcasing original research regarding important consumer privacy and security issues by leading academics from universities and think tanks from around the world. A full video recording of the webcast is available here. The conference took place in Washington on Jan. 14, 2016, and included discussion about the policy implications of the research being conducted with thought leaders from academia, research, consumer advocacy, and industry. FTC Commissioner Julie Brill succinctly outlined the top concerns [...] Read more

FFIEC Warns of Increase in Cyber Attacks Involving Extortion, Encourages Financial Institutions to Develop Response Programs

Written by
Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement warning of an “increasing frequency and severity of cyber attacks involving extortion.” The statement warned that criminals have been extorting financial institutions using a variety of tactics, including denial of service attacks, theft of sensitive information, and use of “ransomware,” which is software that prevents legitimate users from accessing company files unless a ransom is paid. To protect against these attacks, the FFIEC encouraged financial institutions to “develop and implement [...] Read more

Jan Dhont Authors Corporate Counsel Article on Safe Harbor Decision

Written by
Jan Dhont, Brussels partner and head of the firm’s European Privacy and Data Protection practice authored the Corporate Counsel article, “The Sinking of the Safe Harbor: Just Another Symbolic Decision?”  In the article, Dhont discusses the concerns and uncertainty stemming from the October 6 European Court of Justice strike-down of Safe Harbor, and where companies may go from here.  This ruling is a matter of global concern and may actually result in less privacy for individuals, not more. Dhont notes that while there are mid- to long-term solutions to take the place of Safe Harbor, [...] Read more

Article 29 Working Party Calls for Political Action

Written by and
In a concise statement, the Article 29 Working Party (WP29), a consortium of European Data Protection Authorities (DPAs), released a position paper today about the landmark ruling of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner (C-362-14). WP29 makes a political call on the EU Member States to finalize discussions with the US authorities on a political and legal solution for the transfer of personal information from the EU to the US.  The solution should ensure that strong guarantees are provided to EU data subjects against US surveillance.   WP29 calls [...] Read more

A Discussion with FTC Commissioner Julie Brill: The Future of Trans-Atlantic Privacy

Written by
On October 20, Alston & Bird will host a panel discussion with FTC Commissioner Julie Brill. The event will be broadcast as a webinar. Commissioner Brill will discuss the future of U.S. – European privacy with Brussels Partner Jan Dhont and Senior Counsel Peter Swire. The discussion will be moderated by Partner Jim Harvey. This timely discussion with Commissioner Brill follows the European Court of Justice’s rejection of the Safe Harbor framework in the judgment issued on October 6. That rejection affects thousands of businesses engaged in E.U. – U.S. data transfers. Meanwhile, the [...] Read more

David Keating Quoted on Law360 about Data Transfer Issues After Safe Harbor is Invalidated

Written by
David Keating, partner and co-leader of the firm’s Privacy & Data Security practice, was quoted on Law360 regarding the practical impact on companies of the decision of the European Court of Justice (ECJ) invalidating the EU-U.S. Safe Harbor program for transfers of personal data. The ECJ decision requires companies to evaluate the mechanisms they and their vendors use to move data out of the European Union and the European Economic Area. One option that is being discussed by the commentators is to secure individual data subject consents.  David points out that this approach may [...] Read more

European Court of Justice Strikes Down Safe Harbor

Written by
In a momentous judgment, the European Court of Justice (“ECJ”) today invalidated the European Commission’s decision establishing the E.U.-US Safe Harbor for transfers of personal data (“Safe Harbor Decision”).  The ruling was made with record dispatch, following on an Advocate General Opinion recommending invalidation that was delivered to the Court only two weeks ago. Facts of the case: In the wake of the 2013 Snowden revelations, Maximilian Schrems, an Austrian citizen, privacy activist, and Facebook user, lodged a complaint with Ireland's Data Privacy Authority (“DPA”), [...] Read more

PCI Security Standards Council Publishes Data Breach Response Guidance

Written by
The PCI Security Standards Council (PCI-SSC) has released new guidance on its website advising merchants how to deal with a data breach. The guidance particularly details when a PCI Forensic Investigator (PFI) will be required, and provides tips on making the PFI process go smoothly. The PCI-SSC states that “preparing for the worst is the best defense” by having an incident response plan. In addition, PCI-SSC advises limiting data exposure by isolating affected systems without turning them off, notifying necessary business partners (such as the payment brands and merchant banks) immediately [...] Read more