Privacy & Information Security Law Blog

On March 9, 2022, the Biden Administration released its much-anticipated “Executive Order on Ensuring Responsible Development of Digital Assets” (“Executive Order”). The White House describes the Executive Order as the “first whole-of-government strategy” on digital assets and attempts to strike a balance between encouraging innovation and U.S. leadership in the digital asset space, while signaling an appetite to protect against a variety of stated risks through additional regulation and legislation.

On February 12, 2018, in a settled enforcement action, the U.S. Commodity Futures Trading Commission (“CFTC”) charged a registered futures commission merchant (“FCM”) with violations of CFTC regulations relating to an ongoing data breach. Specifically, the FCM failed to diligently supervise an information technology provider's (“IT vendor’s”) implementation of certain provisions in the FCM’s written information systems security program. Though not unprecedented, this case represents a rare CFTC enforcement action premised on a cybersecurity failure at a CFTC-registered entity.

On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted rules that require broker-dealers, mutual funds, investment advisers and certain other regulated entities to adopt programs designed to detect “red flags” and prevent identity theft. These rules implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, that amended the Fair Credit Reporting Act (“FCRA”) to direct the SEC and the CFTC to adopt rules requiring regulated entities to address risks of identity theft. The 2003 amendments to the FCRA required other regulatory authorities to issue identity theft red flags rules, but did not authorize or require the SEC or the CFTC to issue their own rules.

Today, eight federal financial regulatory agencies issued a final Gramm-Leach-Bliley Act ("GLBA") model privacy notice.  The final model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  The GLBA requires, in relevant part, that financial institutions provide consumers with information regarding their collection and sharing of nonpublic personal information.  Financial institutions that adopt the final model notice will be deemed in compliance with the GLBA notice requirements.  The final model notice is the result of the agencies' consumer research and testing.  It is touted as succinct, easy to use and consumer friendly. The final model notice will take effect 30 days after publication in the Federal Register. Publication is anticipated shortly.

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.

The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices.  The privacy notice must describe a financial institution's disclosure of nonpublic personal information to affiliated and nonaffiliated third parties.  In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.