An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is difficult to articulate, the health care industry has been plagued by a series of these cases. Now the plaintiffs may be moving to financial services with the potential for statutory penalties of hundreds of dollars per user when a duty of confidentiality can be credibly implicated. 

The tracking tags, pixels and similar website analytics technologies are nothing new. Rather, the technologies at issue in such complaints are widely used on websites and mobile applications across industries, including by government entities, to collect information about user behaviors and interactions with the online platform where they are embedded. That information is then sent to a third party for analytics used to enhance user experience on the platform. Many of these technologies are integral to an organization’s ability to ensure its websites and applications are functioning properly, among other things providing crash reports when users encounter issues. Additionally, many consumer-facing businesses contract with third parties to provide session replay scripts, a software that monitors and records web-user activity such as keystrokes, clicks, and scrolling.  Despite the pervasiveness of these technologies, plaintiffs have seized on ambiguities in the California state wiretap act, known as the California Information Privacy Act, as well as federal wiretap law as the basis for exceptionally large damage demands.Continue Reading Pixel Litigation Risk at Financial Institutions

In 2024, financial sector regulators prioritized cybersecurity issues impacting financial institutions and the public. Key U.S. federal agencies—including the Securities and Exchange Commission, Federal Trade Commission, and the Consumer Financial Protection Bureau—have been joined by state regulators such as the New York Department of Financial Services in significant new federal and state regulations and more

On May 16, 2024, the SEC issued a release (the “Release”) adopting amendments to Regulation S-P (the “Amendments”) that require broker-dealers, registered investment companies (together, with business development companies, “registered funds”) and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including

Not that long ago, financial sector regulations seldom mentioned cybersecurity expressly, instead addressing the issue indirectly through restrictions focused on general system safeguards and omnibus reporting requirements. Gone are those days. Over the past few years, federal and state regulators have increased focus on information security issues impacting financial institutions, introducing a spate of cyber rules that often include stringent regulatory reporting and disclosure requirements. This year was no different.Continue Reading Making a List and Checking it Twice: The Impact of Cybersecurity Regulations on Financial Services in 2023

On March 15, 2023, the SEC issued a release (the “Release”) containing proposed amendments to Regulation S-P (the “Proposals”). These Proposals were published in the Federal Register today, March 21. If adopted, the Proposals would require broker-dealers, registered investment companies (with business development companies, “registered funds”) and investment advisers to adopt written policies and

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.Continue Reading NYDFS Proposes Significant Amendments to its Cybersecurity Rules

On October 26, 2022, in a divided 3-2 vote, the Securities and Exchange Commission (“SEC”) proposed a new rule, 206(4)-11, under the Investment Advisers Act of 1940 and related amendments (the “Proposed Rule”) requiring SEC-registered investment advisers to exercise effective and sufficient oversight over their service providers so as to fulfill the adviser’s fiduciary duty, comply with the federal securities laws and protect investors from potential harm.  Notably, the Proposed Rule prohibits advisers from outsourcing certain services or functions to service providers without meeting minimum diligence and monitoring requirements. Continue Reading The SEC’s Proposed Outsourcing Oversight Requirements for Investment Advisers

On June 30, 2022, the Department of Justice (“DOJ”) announced four enforcement actions involving allegations of fraud in the cryptocurrency space. The enforcement actions, which collectively bring criminal charges against six individuals, demonstrate the breadth of potential conduct that may expose participants in the blockchain industry to regulatory and enforcement risk. In connection with these

The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.

The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.Continue Reading FTC Publishes Guide to Safeguards Rule Compliance Applicable to Private Funds