Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

Department of Justice Announces New Civil Fraud Cybersecurity Enforcement Team

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the Department of Justice’s Civil Cyber-Fraud Initiative.  As Kellen Dwyer, Kim Peretti ,and Jon Knight report on the Privacy, Cyber & Data Strategy Blog, the Department plans to use civil enforcement tools to “pursue…those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.”

Colorado Privacy Act Becomes Third Comprehensive State Privacy Act in the United States

The Colorado Privacy Act (CPA) became law when Governor Jared Polis signed the bill on July 7, 2021. The CPA is the third general state privacy law in the United States, following the Virginia Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Although the CPA does not provide an express private right of action, businesses that violate the Act may face liability for deceptive acts (and a civil penalty of $20,000 per violation), enforced by the Colorado attorney general and/or Colorado state district attorneys.

In a Privacy, Cyber & Data Strategy Advisory, our Privacy, Cyber & Data Strategy Team highlights some of the similarities and differences between Colorado’s new consumer privacy law and its older siblings in California and Virginia.

Colorado Becomes the Third State to Adopt a General Privacy Law

On July 7, Colorado became the third state behind California and Virginia to adopt a comprehensive privacy law when Governor Jared Polis signed the Colorado Privacy Act into law. The CPA contains many similarities to the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA). But there are several key differences, including with respect to the scope of certain of the consumer privacy rights and the contract terms required in agreements with processors. Like CPRA but unlike the VCDPA, the statute mandates a formal rulemaking process. Notably, the law does not contain a private right of action, but a violation of the CPA is considered a deceptive trade practice and may result in a fine of $20,000 per violation. The CPA takes effect July 1, 2023.

Please contact our Privacy, Cyber & Data Strategy Team with any questions or for further guidance.

Executive Order Details Cybersecurity Changes For Public And Private Sectors

In a lengthy Executive Order issued on May 12, 2021 (the “Order”), the Biden Administration has taken steps “to make bold changes and significant investments” in both public and private sector cybersecurity “in order to defend the vital institutions that underpin the American way of life.” The full scope of the Order remains to be seen. Much will depend on the recommendations and rules issued by various agencies over the coming months. Nonetheless, the Order itself signals several areas where significant changes can be expected.

In a May 14 blog post, Jon Knight of Alston & Bird’s Privacy, Cyber & Data Strategy team explores the impact of the Order.

NYDFS Reports Major Cybersecurity Settlement

In early March, the New York Department of Financial Services (NYDFS) announced a settlement involving a $1.5M penalty and mandatory remediation in response to a mortgage lender’s alleged failure to report a cyber breach, and other alleged cybersecurity failures. This enforcement action marks the second public enforcement action under 23 NYCRR Part 500 (the “Cybersecurity Regulation”) (see our post on the prior action here).

It is noteworthy that the settlement follows a routine safety and soundness exam by the regulator which included a review of security issues under the Cybersecurity Regulation.  This settlement provides an example of both the alleged failure to have reported a security incident and the potential that any such failure will later be detected by the NYDFS in routine examinations.

The consent order noted two major cybersecurity failings on the part of the licensee, Residential Mortgage Services, Inc. (“Residential Mortgage”), according to the NYDFS:

  • Failure to Adequately Investigate and Respond to a Cybersecurity Event. The consent order recounts a successful phishing attack that resulted in a “cyber intruder” accessing an employee’s email account. Residential Mortgage’s IT staff determined that improper access had occurred and quickly took steps to prevent further unauthorized access. However, the consent order faults Residential Mortgage for failing to conduct any further investigation to determine (1) whether the compromised inbox “contained private consumer data,” (2) “which consumers were impacted,” and then (3) “apply the applicable state notice requirements triggered by the breach.” The consent order notes that, following the NYDFS’s examination and investigation of the Cybersecurity Event, Residential Mortgage did determine that it was obligated to notify individuals under various state laws based on a review of all data elements “that could have been accessed” during the intrusion. According to the consent order, Residential Mortgage subsequently made notifications to individuals as required by those laws.
  • Lack of “Comprehensive Cybersecurity Risk Assessment.” The consent order states that Residential Mortgage “was missing a comprehensive cybersecurity risk assessment.” Such risk assessments are required under the Cybersecurity Regulation to periodically evaluate vulnerabilities and inform operation of the cybersecurity program.

In addition to assessing a $1.5M civil penalty, the settlement provisions require Residential Mortgage to make the following submissions to the NYDFS within 90 days:

  • “a comprehensive written Cybersecurity Incident Response Plan;”
  • a comprehensive risk assessment;
  • “Policies, procedures and controls” relating to monitoring user activity and detecting unauthorized access or use of personal or confidential information; and
  • “Cybersecurity awareness training for all personnel, updated to reflect risks identified by Residential Mortgage in its Cybersecurity Risk Assessment.”

Residential Mortgage also agreed to “fully cooperate” with the NYDFS “regarding all terms of this Consent Order,” and the NYDFS reserved all rights to take further action in the event of noncompliance. The consent order notes Residential Mortgage’s “commendable cooperation” with the investigation and remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program.”