Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

California Attorney General Targets Location Data in New Investigative Sweep

This week California Attorney General Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act (CCPA). We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Attorney General Bonta’s office over the past 12-24 months.

The Notices of Violation issued by the Attorney General’s office will give rise to meaningful risks for many of the receiving businesses. We anticipate the Attorney General’s team will focus on granular technical details of data collection via mobile apps including through the third-party SDKs[1] that are ubiquitous across digital mobile products. How these and other digital analytics tools collect and transfer data, including precise location data, is often not well understood even by the internal digital marketing, data analytics, and product development teams that deploy and use the tools. This blind spot has created a zone of risk for many businesses that would not consider themselves a part of the “location data industry” referenced in the Attorney General’s announcement.

The interactions with the Attorney General’s office in these investigations and in enforcement proceedings can also change focus when the Attorney General’s staff suspects compliance gaps in other sensitive areas, such as use of mobile apps by children or in connection with healthcare or other sensitive activities. Careful and detailed internal legal/technical data flow analyses are therefore critical to quickly identifying the full scope of potential risk and framing the strategy for engaging with the Attorney General. For those businesses that have not received notices, this is another opportunity to close the gap between digital advertising, data analytics, and mobile app development and these emerging and increasingly clear legal privacy standards relating to precise location data and use of third-party SDKs in mobile apps.

Alston & Bird’s Privacy, Cyber & Data Strategy Team has extensive experience advising and defending clients who receive inquiries and violation notices from California’s privacy regulators.  We will continue to monitor developments in privacy regulatory enforcement in California and other states.

[1] “SDK” refers to a software development kit. These tools, many of which are free, are commonly used by mobile app teams to shorten app development timelines and quickly add features and functions to mobile apps.

_______________________________
Originally published March 12, 2025 on Alston & Bird’s Privacy, Cyber & Data Strategy Blog.

Trump Administration Rescinds Biden Executive Order on Artificial Intelligence

What Happened?

Last week, President Trump signed an Executive Order that rescinded the Biden Administration’s October 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.

Titled “Removing Barriers to American Leadership in Artificial Intelligence,” the new Executive Order “revokes certain existing AI policies and directives that act as barriers to American AI innovation, [and will] clear a path for the United States to act decisively to retain global leadership in artificial intelligence.” The Trump Administration’s Executive Order directs executive departments and agencies to develop and submit to the President an action plan designed to meet that objective.

Why does it Matter?

AI is expected to be a focus for the new Administration, and policy likely will focus on AI development and innovation as a matter of economic competitiveness and national security. In December, (then President-elect) Trump named David Sacks, a prominent Silicon Valley venture capitalist, as the White House “AI and Crypto Czar.” When announcing this appointment, President Trump characterized AI as “critical to the future of American competitiveness…David will focus on making American the clear global leader…” We expect the Administration to focus on national security issues that include export control issues where the technology could be used in military applications by non-US governments.

What’s Next?

In contrast to the deregulatory approach at the federal level, a number of states already have passed legislation relating to the use of AI, particularly in the consumer space, including laws relating to data use, consent, and disclosures. Additionally, state Attorneys General, particularly in “blue states,” have expressed concern about the risk of “high-risk” AI that can negatively impact consumers’ access to financial goods and services and employment opportunities. With growing use of AI, we expect more activity at the state level.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation Chart

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entitiesClass A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.

 

 

 

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”