The Matrix

Privacy and data security laws and regulations continue to evolve quickly, and companies processing personal data have an increasing array of issues to manage. As we enter 2024, below are five key considerations for companies managing privacy and data security risks.

Last week, the FTC amended its Gramm-Leach-Bliley Safeguards Rule, supplementing the additions to the rule that it announced in 2021 and that have been in effect since June 2023. The recent amendment will require nonbank financial institutions to notify the FTC when there is an unauthorized acquisition of unencrypted customer information involving 500 or more consumers. This notification requirement, which is scheduled to go into effect in May 2024, adds to the growing list of notifications that a company must consider after a data incident, including the SEC’s recently enacted rules requiring registrants to disclose material cybersecurity incidents.

Because the use of passwords alone is a relatively weak method to prove identity, enforcement agencies are ramping up pressure for companies to implement multi-factor authentication (MFA) both internally and to customers for online services. MFA makes it more difficult for cyber threat actors to gain access to networks and information systems if authentication information, such as passwords, is compromised through phishing attacks or other means. Below is information that may be helpful in assessing whether your company should implement MFA, and how to do so.

The Federal Trade Commission recently announced a newly updated rule concerning the data security safeguards required for financial institutions to protect their customers’ financial information. The FTC’s updated Safeguards Rule, which originally was mandated by Congress under the 1999 Gramm-Leach-Bliley Act, requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. The new rule more closely aligns with the NY Department of Financial Services Cybersecurity Regulation.