Consumer data protection and breach mitigation requirements are on the legislative docket in several states this year, and a rule from the Federal Trade Commission means updated requirements for information security programs at financial institutions.
02/07/2022 3:45 P.M.
4 minute read
Data privacy is on the legislative agenda in several states as they seek to enact data sharing safeguards for consumers, and it remains on the federal regulators’ radar for rulemaking in 2022.
ACA International member Kim Phan, a partner at Ballard Spahr LLP in Washington, D.C., recently spoke on the topic on the ACA Huddle, explaining that we can expect to see a lot of state regulatory scrutiny and federal updates on data privacy. ACA members can listen to the episode here.
The Federal Trade Commission has always been the de facto privacy and data security agency, Phan noted. A significant development this year will be the FTC’s implementation of the Safeguards Rule, which strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information, according to a news release from the FTC.
Phan said the FTC will likely designate staff to run information security and risk assessments at the commission, adding that Alvaro Bedoya, President Joe Biden’s nominee for the FTC to replace Rohit Chopra now that he is director of the CFPB, has a background in data security.
Bedoya is the founding director of the Center on Privacy & Technology at Georgetown Law, where he is a visiting professor of law.
Before founding the center, Bedoya served as chief counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.
Bedoya’s confirmation by the Senate Commerce Committee, as well as the confirmation of FCC Commissioner nominee Gigi Sohn, is delayed due to the absence of U.S. Sen. Ben Ray Lujan, D-N.M., who is recovering from a stroke. While Lujan is recovering, his absence means Democrats are short a vote to approve nominees from the president, The Hill reports.
Meanwhile, the FTC’s Safeguards rule took effect Jan. 10, and its requirements will apply beginning Dec. 9, 2022, according to the Federal Register notice.
The final Safeguards Rule contains five main modifications to the existing rule:
- It adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption.
- It adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
- It exempts financial institutions that collect less customer information from certain requirements.
- It expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the rule.
- The final rule defines several terms and provides related examples in the rule itself rather than incorporate them from the Privacy of Consumer Financial Information Rule.
ACA filed extensive comments on the Safeguards Rule discussing potential compliance burdens for ACA members.
State Data Privacy Laws
Several states have proposed or are revisiting data privacy laws this legislative session.
New York is revisiting data privacy legislation this year with a bill that includes a private right of action, allowing consumers to sue for violations by businesses, ACA previously reported.
New York’s proposed law carries more weight in its enforcement actions than other states with laws on the books—such as Virginia, California and Colorado—because of the private right of action.
While Washington state’s privacy act has failed to pass for three consecutive years based on disagreements on a private right of action, it is still a state to follow this year, as well as Florida and Oklahoma.
Nebraska has proposed Legislature Bill 1188, which would enact the Uniform Law Commission’s Uniform Personal Data Protection Act. The bill, which is written to be adopted in other states, includes rights for users to access and correct data, but does not include a private right of action.
In Mississippi, State Sen. Angela Turner-Ford introduced legislation that is similar to the California Consumer Privacy Act. If approved, it would take effect on July 1, 2023. It does not include a private right of action.
Florida State Sen. Jennifer Bradley has reintroduced the Florida Privacy Protection Act, a comprehensive privacy bill that did not pass in the Florida Senate in 2021.
In Indiana, State Rep. Carey Hamilton introduced a comprehensive privacy bill that would mandate businesses to provide certain information to consumers, allow consumers to request their data from businesses, and designate enforcement of consumer privacy to the Indiana division of consumer protection.
Washington has the Washington Privacy Act on its legislative docket this year for the fourth consecutive session, along with companion legislation, Senate Bill 5813.
ACA will continue to follow these state activities and keep members updated in ACA Daily.
For more state updates, members are invited to join the weekly ACA Huddle at 11 a.m. CDT on Wednesdays.