RegFi Episode 31: The Road Ahead for Financial Services Data Privacy Regulation
31 min listen
Orrick partner Beth McGinn joins RegFi co-hosts Jerry Buckley and Sasha Leonhardt for our second episode focused on the proposed American Privacy Rights Act and its potential impact on the financial services industry. Beth sets the stage with an overview of the current data privacy regulatory landscape for financial services providers, including updates to the GLBA Safeguards Rule, reporting and disclosure requirements from the SEC and CISA, and state data privacy developments. Turning to the APRA, the group discusses how the FTC’s expansive rulemaking authority might interact with existing federal regulatory regimes, whether state requirements could be exempt from federal preemption, and new executive responsibility and impact assessment requirements in the proposed legislation. The conversation closes with a quick round-up of early industry and policymaking reactions to the APRA and provisions that would benefit from clarification before the bill is finalized.
Links:
Jerry Buckley: | Hello, this is Jerry Buckley, and I am here with my RegFi co-host, Sasha Leonhardt. Today, we are joined by our Orrick partner, Beth McGinn, who is an expert in all things related to privacy and data security, with particular focus on how those rules apply to banks, credit unions, financial institutions and fintechs. In our last RegFi episode, we shared with our listeners an overview of the provisions of the proposed American Privacy Rights Act, or the APRA. We explored what rights the bill would provide to consumers and what responsibilities would be imposed on data holders. We also discussed the preemption provisions of the bill as well as exemptions, including the exemption for data held by financial companies subject to the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act. And we talked about the role of the FTC, state attorneys general and private litigants’ right of action. One provision of the bill that we highlighted but didn’t dwell on is Section 9, titled Data Security and Protection of Covered Data. Today, we are going to drill down more on the implications of Section 9 and how it might relate to federal and state data protection requirements generally and for financial service providers. Beth, to set the stage for this discussion, could you walk us through what laws related to the protection of data are currently applicable to financial service providers? I know this is an almost unfairly broad question, and if you could provide an overview, that would be so helpful as we try to see what APRA would build upon if it becomes law. |
Beth McGinn: | Thank you, Jerry and Sasha, for having me. I’m very happy to be with you today. Jerry, I thought this was a half-hour podcast. I could be talking about this for hours. And I know you are also a very well-renowned adjunct professor at one of the best universities. I’m an alumni. Perfect, perfect exam question. It is exam season for your students. So I think that, you know, this would be very, very good. But I’m just going to briefly mention a few because, like I mentioned, we could talk forever about these. But a lot of you who are listening are probably familiar. But the reason we’re bringing this up is because you’ll hear some of these mentioned in the APRA. The GLBA, that’s the first I’d like to talk about, provides a framework for regulating data privacy and security practices for financial institutions. Within the GLBA, we have the Privacy of Consumer Financial Information Rule, which deals with privacy notices, how things are, you know, the information that’s collected, shared, disclosed. But the focus today, I think, is a little bit more on the Safeguards Rule, or some people call it the GLBA Cybersecurity Requirements. And Sasha’s going to go more into this, but in June of last year, the FTC amended the Safeguards Rule pertaining to the safeguarding of customer information and it became fully effective. And there’s been a lot of back and forth on this. The FTC sought in the amended Safeguards Rule to update the Safeguards Rule, which was promulgated under the 2003, I should have mentioned that, the year of GLBA, to address nearly two decades, I can’t believe it’s been that long, to changes in technology. The Safeguards Rule amends the previous rule by providing guidelines regarding a financial institution’s information security program, including, and some of these, the themes you’ll hear about, is designating an individual who will be accountable for the program’s implementation and oversight and offering evidence on how a program must identify and assess the risks and how those risks must be controlled, as well as clarifying which institutions or organizations are subject to the amended Safeguards Rule. So that changed a bit. We also have the Fair Credit Reporting Act. That was enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports. The FCRA mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and also limits the use of consumer reports to defined permissible purposes. In 2003, Congress passed the FACT Act, which made significant amendments to the FCRA. And under the FACT Act, we have the disposal rule, which is very important. It requires any individual or entity that uses a consumer report or information from a consumer report for a business purpose to dispose of that information in a way that prevents unauthorized access and misuse of the data. We also have the Red Flags Rule, which requires financial entities to develop a set of rules to mandate the detection, prevention, and mitigation of identity theft. With the FTC Act, UDAP, the FTC has taken the position that poor data security is unfair. We’ve seen this in enforcement actions and litigation. Other areas I think we should bring to your attention that we’ve been following, and I’m sure a lot of you are, deal with the SEC. Last year, they adopted rules that require public companies to promptly disclose material cybersecurity incidents on Form 8K and detailed information regarding their cybersecurity risk management and governance on an annual basis on the Form 10K and write their material cybersecurity incidents. And that this is causing a lot of talk in the industry, how that’s being defined, what you do report, when you do report, and there’s been some cases recently that’s discussing that. Another area that I think financial institutions should just be aware of has to do with CISA. And Biden last year, excuse me, 2022, signed into law the Cyber Incident Reporting for Critical Infrastructure Act, and this requires CISA to develop and implement regulations regarding covered entities to report covered cyber incidents and ransomware payments to CISA. And in, just a few weeks ago, actually, April 4th, they published its notice of proposed rulemaking detailing significant new cybersecurity reporting requirements. We’re seeing the 72 hours for substantial cybersecurity incidences and 24 hours for ransom payments. You know, in terms of the critical infrastructure, financial institutions will be under that. And the Orrick team is right now working on an article detailing that. So we’re watching that very closely. You know, you also have to think about the GDPR, also payment card industry and data security standards. That’s important to think about, too, when you have a breach and reporting out. States. The New York Department of Financial Services with their cybersecurity regulation. They also had amendments, amended it, and a lot of these are starting to come into effect just this month, some of the ones. And they’re very, it’s very interesting to, and I’m, you know, Sasha, Jerry, you and I talked about this, how those cybersecurity, the amendments are somewhat similar to the FTC and was around the same timing. So it’s interesting to see how the states and then also, you know, the FTC is working together. And of course, we have our patchwork of the state notification breach of laws. So I could talk more, but I think we have other topics to go on to. So hopefully this was a good summary. And I hope I get an A if I was to take this exam. |
Jerry: | Well done. You did have the question in advance, so this was a bit of an open book exam, but you get an A. And really, I think it’s illustrative of the vast amount of activity in this space. And with that as background, let’s take a look at the specific requirements of Section 9 of the APRA, which constitute only a page and a half of text, interesting in the context of your extensive description of what else is going on in the data security space. However, in a couple of sentences, Section 9 grants the FTC authority to promulgate regulations describing how a covered entity or a service provider shall establish, implement and maintain reasonable security practices. Putting aside for the moment the exemption for financial services providers contained in Section 20, which we’ll discuss later, it seems that in these few sentences, the FTC is granted a central role in establishing data standards for the whole country. Your thoughts, Sasha and Beth? |
Sasha Leonhardt: | So, Jerry, I’ll jump in here. And I think you’re absolutely right. This is going to be a broad law that gives the FTC authority almost over every sector of the economy. And to that end, Section 9 of the proposed APRA is at a fairly high level, likely in recognition of the fact that the APRA is going to have to apply to so many different businesses and industries. A one-size-fits-all approach simply is untenable here, given the breadth of the statute. For those who regularly operate in the data security space, the APRA starts out with the classic CIA language. A company must have processes to protect the confidentiality, integrity and accessibility of covered data. Companies must also protect against unauthorized access to data, which is no surprise here. To implement these, the APRA does have certain requirements, but there’s a lot of flexibility in the statute. The APRA broadly states that a company’s data security practices must be appropriate to the size and complexity of the company, the nature of the data collected, processed, retained and transferred, the volume, nature, and sensitivity of the data, and the state of the art, that is, the overall development of technology that’s available and used to protect data. To comply with the APRA, companies must assess their vulnerabilities on a routine basis, take preventative and corrective actions and evaluate such actions after the fact, develop an information retention schedule and delete information according to the schedule, train their employees who happen to have access to covered data, and develop and implement an incident response plan. Now, these are all fairly standard provisions in data security laws at the federal and state level, particularly those affecting financial institutions. We’ve seen these requirements in some form or function in the Safeguards Rule and elsewhere. Notably, consistent with the rules-based approach, the APRA will allow the FTC to write rules to implement this section. And I think that’s going to be a real interesting area where we’ll see the FTC get to stretch its authority here and perhaps customize this to various different sectors in the economy. |
Jerry: | Well, Beth, your thoughts? |
Beth: | Yeah, Sasha, it’s interesting, I think, you know, some of the language that you just said in terms of the confidentiality, integrity, accessibility of covered data, we saw some of that language in some of the new state privacy laws, you know, but here, you know, so it’s very interesting, but they do not go into, I think Colorado goes into a little bit more, talking about the size and everything, but the state laws just have that type of language. So the APRA is elaborating more, as you mentioned. I think it’s really interesting that the FTC is working with the Department of Commerce on this because Commerce is not a new kid on the block when it comes to data protection or data security. We have seen, you know, their tasks, and you see this on the website of enhancing cyber awareness and protections, protecting privacy, maintaining public safety, supporting economic and national security, and empowering Americans to better maintain their safety online. We saw the Commerce Department involved with the Privacy Shield. However, as we all know, in July of last year, the Privacy Shield program was replaced by a new voluntary EU-U.S. data privacy framework that provides a mechanism for companies to transfer personal data from the EU to the U.S. in a privacy-protective way consistent with the EU law. And to join the framework, a company must self-certify with the Department of Commerce that it complies with the framework. And a company’s failure to comply with the principles of the framework may violate Section 5 of the FTC’s act prohibiting unfair and deceptive acts. Within the Department of Commerce, there’s NIST, and that’s the National Institute of Standards and Technology. And this is a non-regulatory federal agency, as I mentioned, within Commerce. And its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. And this is on their mission statement on their website. NIST is one of the nation’s oldest physical labs, and it has an information technology lab with technical divisions. And there’s, I believe, around six. And one of them is the Applied Cyber Division that works on the cybersecurity framework (which many of you are aware of or, you know, try to follow); the privacy engineering, or sometimes that’s referred to as a privacy framework; public safety and communication security; small business center that works with the FBI; smart grid; and also voting system security. So it’s interesting to see, you know, has NIST weighed in on this, you know, the APRA? Will they be working with commerce and the FTC? So, this is something you know we’re following, we’re interested to see if there’s been any, as we mentioned earlier, you know, we were talking, Sasha and Jerry, we were talking earlier that, you know, has there been any statements from NIST and the Department of Commerce. So it’s going to be interesting to see how all this comes out. |
Jerry: | And you know Beth, this is a 53-page bill, relatively short for the vast area of commerce that it covers. And so it has shorthand, in my view, shorthand provisions like “shall coordinate with the Department of Commerce.” And the devil is going to be in the details as to how that comes out. Now, you know, as noted in our prior RegFi podcast concerning APRA, there are exemptions to the requirements of APRA spelled out for data subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, held by a financial services provider and subject to those statutes. As noted also, the data exemption is not an entity-level exemption, it’s a data-level exemption, but it’s important to note this general data-level exemption does not apply to data security provisions of Section 9. That’s a separate regime. Could you speak to this, Sasha or Beth? That is, are there full parallels between the requirements with respect to data security and the privacy provisions and data holding and management provisions of the other part of the statute? I should say the other part of the bill. Go ahead. |
Sasha: | Sure thing, Jerry. So you’re right that generally the APRA does not apply if information is used solely and exclusively with respect to Title V of the GLBA. And the way that the proposed APRA handles this sort of overlap is interesting. It states that a covered entity or service provider that’s required to comply with the APRA’s data security requirements will be deemed to be in compliance if it follows the requirements of Title V of the GLBA. Putting all this together, what it means for financial institutions here is that data that you have that is obtained under the GLBA and is protected under the Safeguards Rule that was promulgated under GLBA, that is going to be deemed to be in compliance with the APRA if you follow that rubric. However, data outside of that may not be covered to that. Again, we’ll see what the final rule and final statutory text and final rule look like. But it may be that financial institutions are subject to two different regimes here: one for GLBA protected data under the Safeguards Rule and a separate one under the APRA and the rules to be promulgated by the FTC to implement that. I’ll notice, as Beth said, the Safeguards Rule is something that is near and dear to the FTC’s heart. They’ve been updating it, you know, every 18 months or so for the last few years. They’re on top of it there. So it’ll be interesting to see how the FTC writes whatever new rules they promulgate under the APRA side by side with the Safeguards Rule. |
Jerry: | And they may decide to rely on the Safeguards Rule and simply amend that using their authority under the APRA, granted if the APRA were to pass. Well, now turning to the important subject of preemption of state laws, which is a central theme of the APRA, in the data security area, how does preemption play out? |
Beth: | As we know, preemption has historically been a very politically charged issue that has been a barrier to adopting a federal privacy law in the past. And given the history, it’s no surprise that the preemption provisions in the APRA, as we’re just talking, are complex. For state privacy laws at a high level, the latest or the discussion draft walks a fine line. Its general baseline rule is that it would preempt state laws that are covered by the APRA, but then it lists a number of state laws that would not be preempted, including state breach notification laws. I’m going to focus on that right now. We all know that responding to a data breach can be complicated given the patchwork of all the state laws. State laws vary on what type of personal information triggers a breach notification obligation to individuals, what form of data triggers the obligation to individuals if it’s unencrypted or computerized, when the notice must be given to individuals, the form of notice, what can be included in the notices, and what states require notification, state agencies, and also if CRAs, you know, or notification to them, you know, is needed. I think that we will, or it looks like we will continue to need to be up to date on all the state data breach laws. You know again, it’s a patchwork. And even last year, you know, we saw some of the states amending their data breach notifications. I know Pennsylvania and Florida added more to their definition of what is considered personal information. Utah and Texas added, in terms of notifying the AG, what type of notification and the timing. So, you know, if unfortunately you’re subjected to a breach, you can’t rely, you know, a lot of people have matrixes, but to make sure, you know, what the qualification, what you need to do for notification, but you really need to be up on every state law. So, we’re going to continue from how the draft is to abide by those laws. You know, there’s been some that have argued or, you know, that state government rather than the federal government is more likely to provide protection to the consumers. You know, I was curious, we were curious whether this they kept this in to keep states happy, because there has been a lot of chatter that many states are not happy with this. There was a letter, if you all haven’t seen it, that the executive director of the California Privacy Protection Agency wrote to the chairs. And they did say, he did say, we look forward to working with you to craft legislation that both supports both a federal baseline and states’ ability to innovate. So it’s interesting to see how, again, you know, what other states are going to say, but California definitely came days after and wrote to the chairs about this proposal. |
Jerry: | Well, you know, stepping back and looking at this, there is a preemption provision with a lot of exceptions, and if I, I used to work on Capitol Hill, as you know, and if I were on the committee advising my member or senator, I would suggest at least that there be some FTC-sponsored effort to coordinate state laws so that they wouldn’t be as diverse as they could be without such a provision. This needs more work if it’s going to achieve any of the goals that preemption was supposed to achieve. That’s my personal opinion. Now, there’s a provision in Section 10 of the APRA requiring executive responsibility. Can you speak to that, what it will cover, and what it means for companies subject to the Act? |
Beth: | I’m happy, Sasha, I’m sorry I’m talking so much, but I’m happy to talk about this. I think in contrast to many of the U.S. data privacy laws, the APRA takes a page from the GDPR’s book, and it requires businesses to establish a data privacy and/or security officer role. The role isn’t exactly comparable to the GDPR’s data privacy officer role, at least not in the draft’s current form, because it doesn’t specify what the officer’s duties would be. Covered entities must designate one or more covered employees to serve as a privacy or data security officer. Large data holders, which is defined in the rule, are required to designate both a privacy and a data security officer. The data holders are also required to file with the FTC annual certification of internal controls designed to comply with the Act and internal reporting structures for compliance with the Act. They also must conduct privacy impact assessments on a biannual basis. What does this mean for companies? It’s going to have companies look, you know, and they say to those employees, who would be this designated privacy officer or security? Do they have the training? Are they, you know, up to speed? Will you need to revise any policies and procedures on what needs to be done? There will be more reporting, most likely, internally, but also this certification out. Curious as to what we saw with the DFS, and I’m sorry, I keep mentioning that, but it was amended and a lot of clients need to follow the cybersecurity regulation. There was a time previously you certified if you’re compliant. Now there’s a certification if you’re not compliant. So will the APR, you know, will the next round come saying, okay, if you’re not compliant, similar to what we’ve seen with other regulators, you have to say you’re not compliant and when you will be compliant and what sections and when, you know, the program. So that’s what we saw recently with DFS because there’s a lot of questions like, okay, what do I do? Do I certify? Do I not certify? So that’s something interesting that we’ll see, you know, how that comes out. |
Jerry: | Beth, several years ago, I wrote an article that appeared in the American Banker titled “Compliance Officer Bill of Rights.” And in that article, I referenced the fact that being the chief compliance officer was considered to be the toughest job in the C-suite. I have a feeling that the CISO is going to be challenging the chief compliance officer for the honor of being the toughest job in the C-suite. |
Beth: | Yes. Absolutely. Absolutely. You know, I definitely, you know, I think every job is tough, but, you know, I don’t want to, but I think the CISO with more responsibilities, particularly with breaches, you know, the reporting, you know, like I mentioned to the SEC, different types of reporting. It is a lot on them. |
Jerry: | It really. It'll be... |
Beth: | And it’s a team effort. I’m so sorry, Jerry. You know, the CISO shouldn’t be on an island. You know, they need to, you know, work with and that’s what they want. They want the board. They want senior executives to help and be aware. So I think that’s, you know, what you just said, Jerry. Great point. It’s that it’s such an important role. And I think we’re seeing regulators and states and federal like, “OK, you know, boards, we’ve got to get you involved, senior management to make sure that the CISOs are getting the support and you’re working together and you know what the risks are.” So I think that’s... |
Jerry: | It's certainly in the interest of the company, independent of compliance. |
Beth: | Absolutely. |
Jerry: | It’s in the interest of the company and the goodwill and reputation of the company to focus on this area, which is, as we know, one of the great vulnerabilities in our economy. Beth, to move off data security for just a moment, and more broadly, what are you hearing clients say about the APRA? We don’t have a lot of time, and I know you’re probably hearing a lot, we all are, but just interested in your thoughts, particularly in the data security space. |
Beth: | I think similar, there’s been what I had mentioned about California, what the Executive Director had said. There’s been quotes where the “APRA represents an imperfect but needed bargain to protect everyone’s rights.” I think it’s interesting, the former acting chair of the FTC stated that they, and it’s Maureen Ohlhausen, and she’s co-chair of the 21st Century Privacy Coalition, and stated that they believe the current draft raises several concerns that warrant further consideration and discussion. She pointed to issues with the draft’s failure to preempt the FCC’s data breach notification authority; its broad definition of sensitive data, which could undermine telecom providers’ ability to tailor offerings to existing customers; and its permission for states to continue to enact certain privacy laws. There’s also been discussions, you know, people wanting more privacy protections for children. The also clearer language about how companies can use data for advertising and even more strict requirements for data brokers. They want to see data like fingerprints and DNA restriction on data brokers activity with, you know, making those more robust. So that’s some of the chatter that we’ve been following. |
Jerry: | Right. And you know, we discussed this in our prior podcast as well, as this legislation appears to have more legs than prior legislation, people come out of the woodwork with all their concerns. And that will, even though there’s great enthusiasm for this, may well slow it down. I think it’ll be hard to get anything done before the election. Maybe something can be done in a rump session of Congress, very unclear depending on how the election comes out. This is a complex area, just the area of data security alone, putting aside the other provisions of the bill. Well, it seems at least to me that this 53-page proposed APRA is packed with issues like data security requirements that we discussed today that will need further consideration in depth. I would note that the Financial Services Committees of both Houses are expected to have an opportunity to review this legislation, and I expect that some of the issues we discussed today will be examined by those committees as well. I want to thank Beth for joining us today. It’s a pleasure to have you with us, and you bring a wealth of knowledge and experience. And Sasha, of course, it’s always great to have you as a co-host. |
Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
By clicking "OK" below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.