A number of statutes, regulations, and rules have been adopted to protect the confidentiality and integrity of financial data, as well as the integrity and availability of the financial institutions and markets. Among these statutes are:
- The Fair Credit Reporting Act (FCRA), amended by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which governs the use and protection of certain financial and consumer reporting information;1 and
- The Gramm-Leach-Bliley Act of 1999 (GLBA), which governs both the privacy and security of non-public personal financial information held by financial institutions.2
These laws and their implementing regulations generally place limitations on the collection, use, and disclosure of financial information, require covered entities to provide consumers with certain information about their privacy practices, and direct covered entities to take steps to protect the security and integrity of the information.3
In addition to federal law, a number of states have their own state-level financial privacy rules. While these laws typically are consistent with the GLBA requirements, companies must not overlook these requirements. In particular, financial institutions doing business in New York and Colorado should be aware of certain cybersecurity regulations adopted by financial regulators in those two states.4 Among other things, the New York Department of Financial Services cybersecurity rules impose a robust set of requirements—including encryption, multi-factor authentication, breach notification, and other very detailed obligations—on entities that it regulates.5 For more on New York’s and Colorado’s rules, see here and here, respectively.
1 15 USC § 1681.
2 Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended).
3 See FTC, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, available here (last visited Feb. 22, 2019).
4 See N.Y. Code R. & Regs. tit. 23, § 500; Colo. Code Regs. §§ 704-1:51-4.8, 704-1:51-4.14.
5 N.Y. Code R. & Regs. tit. 23, § 500.