2024 Year in Review: Data Privacy and Cybersecurity

Looking Ahead to 2025 

Consumer financial services regulators are taking a keen interest in artificial intelligence (AI) technologies and the sharing and monetization of consumer data. Regulators are also increasingly focused on financial services companies’ compliance, preparedness, and response readiness for cybersecurity events and are more frequently than in the past bringing investigations and enforcement actions in the wake of cybersecurity incidents.

Demonstrating this increased focus on data privacy and cybersecurity, the Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC), and New York Department of Financial Services (NYDFS) implemented rulemaking, signaling regulatory scrutiny over digital payment technology, data sharing, and use of AI in the financial services industry.

Key Trends From 2024 

Consumer financial services regulators are increasing their reach, and expertise, into areas of data privacy and cybersecurity. Although state regulators historically and currently are more active than federal regulators in overseeing and enforcing in this space, particularly through joint coordination and focus on specific financial services industries, the CFPB clearly expressed its intent to expand its jurisdiction into this space. While overall public enforcement matters against financial services companies were few in 2024, Goodwin anticipates a growing number of enforcement actions intended to increase accountability at companies in the financial services industry. The year 2025 will also be an inflection point for the new CFPB director on how strongly the agency will insert (or retract) itself in the data privacy and cybersecurity space.

In the News 

Data Security Class Actions 

Class action lawsuits against financial services companies that fell victim to cybercriminals — whether directly or through a vendor — remained active in 2024. In the mortgage space alone, LoanCare, Fidelity National Financial, Bayview, and loanDepot (among others) were all embroiled in data breach class action litigation in 2024. Other financial services companies continued ongoing class action litigation fights in the fallout from the MOVEit file transfer software data breach and a similar breach that occurred at Infosys. The bottom line: financial services companies are not immune from the raft of data breaches and tagalong class action that follows.

FTC Safeguards Rule Notification Requirement Now in Effect 

In May 2024, the amended Safeguards Rule took effect. The amendment requires financial institutions to notify the FTC as soon as possible — and no later than 30 days after discovery — of a security breach involving the information of at least 500 consumers. Financial institutions covered by the rule must use a new online form to notify the FTC. In addition, financial institutions are expected to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

HUD Cyber Incident Reporting 

In May 2024, the United States Department of Housing and Urban Development (HUD) issued a mortgagee letter, effective immediately, stating that a Federal Housing Administration (FHA)–approved mortgagee that has experienced a suspected significant cyber incident must report the incident to HUD’s FHA Resource Center and Security Operations Center within 12 hours.

Texas and New Hampshire Attorneys General Announce New Efforts to Enforce Their State-Level Consumer Privacy Laws 

In June 2024, the Texas attorney general launched a team “focused on the aggressive enforcement of Texas laws.” Per the Texas attorney general, the initiative “will ensure companies respect Texans’ privacy rights and safeguard their personal data […] [and] is poised to become among the largest in the country focused on enforcing privacy laws.” Similarly, in August 2024, the New Hampshire attorney general announced the creation of a Data Privacy Unit that will be responsible for enforcing compliance with the New Hampshire Data Privacy Act (New Hampshire Act), which became effective on January 1, 2025. According to the press release, the new unit is “tasked with developing a series of FAQs that will assist consumers and businesses in understanding their rights and responsibilities” under the New Hampshire Act.

CFPB Guidance Regarding Artificial Intelligence in Worker Surveillance 

In October 2024, the CFPB issued guidance regarding whether employers can “make employment decisions utilizing background dossiers, algorithmic scores, and other third-party consumer reports about workers without adhering to the Fair Credit Reporting Act.” The CFPB stated that the answer to that question is “no.” Instead, companies that analyze worker data, including by using algorithmic models that use AI, to provide reports containing assessments or scores of worker productivity are “consumer reporting agencies” governed by the Fair Credit Reporting Act (FCRA), meaning there is an expectation and obligation to ensure maximum possible accuracy. Furthermore, employers that use such reports must comply with the FCRA, both the general obligations under the FCRA and the extra obligations that apply to reports used because of potential employment. The CFPB encouraged employers to review their current practices regarding the use of third-party consumer reports to ensure compliance with FCRA requirements.

NYDFS Issues Report on Risks Posed by Artificial Intelligence 

In October 2024, the NYDFS issued an industry letter regarding the cybersecurity risks arising from AI. The letter highlighted some of the threats identified by cybersecurity experts, such as AI-enabled social engineering and AI-enhanced cybersecurity attacks. NYDFS noted that its cybersecurity regulation requires covered entities to “to assess risks and implement minimum cybersecurity standards designed to mitigate cybersecurity threats relevant to their businesses — including those posed by AI” and identified several controls and measures that may help companies protect against AI risks.

CFPB Issues Report on Monetization of Consumer Financial Data 

In November 2024, the CFPB issued a report summarizing the state laws that give consumers more control over their data and highlighting the gaps in protection that result from state law exemptions for financial institutions subject to the Gramm-Leach-Bliley Act or the FCRA. The report discussed the new business models being built by financial institutions, the need for protections as more advanced methods of collecting and monetizing data become more prevalent, the state laws that provide expanded rights to consumers, and the gaps that policymakers should endeavor to address in the future.

NYDFS Cybersecurity Regulation Now in Effect 

In November 2024, the NYDFS’s amended cybersecurity regulations took effect. The regulations were originally amended in November 2023, with several rolling effective dates. Multiple provisions, including requirements that nonexempt covered entities’ chief information security officers timely report on material cybersecurity issues to company leadership and senior leadership undertake new responsibilities regarding cybersecurity matters went into effect in November 2024. Also, as of November 2024, covered companies are required to encrypt all nonpublic information being moved to external systems, revise their incident response plans to comply with the new regulations, and implement written disaster recovery plans that identify all items needed for continued operations in the event of a cyber-related incident.

NYDFS Issues Industry Letter on Threats Posed by Remote Technology Workers  

In November 2024, the NYDFS issued an industry letter that urged organizations to exercise caution when hiring remote employees due to an increase in individuals located in the Democratic People’s Republic of Korea misleading companies regarding their location in order to generate income and potentially gain access to systems or data. NYDFS further encouraged companies to conduct due diligence during the hiring process and implement technical controls, including tracking and geolocating corporate laptops to ensure they are delivered and remain at the initially reported residence.

CFPB Issues Final Rule on Personal Financial Data Rights 

In January 2025, the CFPB’s final rule — issued in October 2024 — requiring banks, credit unions, and other financial services providers to provide consumers with the right to request their information in a secure and reliable manner went into effect. Among other purposes of the rule is to allow consumers to freely transfer their banking history and data if they switch financial institutions. The new rule defines obligations for third parties accessing consumers’ data, including important privacy protections and, according to the CFPB, promotes fair, open, and inclusive industry standards.

2024 Enforcement Highlights 

NYDFS Consent Order With Genesis Global Trading 

In January 2024, NYDFS entered into a consent order with Genesis Global Trading in which Genesis paid $8 million in fines relating to violations of virtual currency and cybersecurity regulations, including by failing to maintain compliant anti–money laundering and cybersecurity policies and programs. NYDFS specifically claimed that Genesis failed to conduct risk assessments, which should serve as the foundation of a company’s cybersecurity program; adequately encrypt nonpublic personal information; and provide proper certification of compliance with NYDFS.

SEC Charges and Settles With Technology Companies on Misleading Cyber Disclosures 

In October 2024, the Securities and Exchange Commission (SEC) publicized several enforcement actions against technology companies related to those companies’ disclosures regarding cybersecurity risks and breaches. The SEC also charged one of these companies with a violation of disclosure controls. In total, the four enforcement actions fined the companies almost $7 million in civil penalties. According to the SEC, these companies minimized the impact of a cybersecurity breach in their public filings, and these enforcement actions “reflect [that while] public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

FTC Targets the Collection and Use of Sensitive Consumer Data 

In December 2024, the FTC filed a proposed settlement order against two large data aggregators. According to the FTC, these companies engaged in unfair practices when collecting and transferring sensitive consumer data. Of particular interest is that the FTC prohibited collecting consumer data from real-time bidding (RTB) exchanges without consumer consent. RTB exchanges are used to sell digital advertisement space to advertisements and may involve the sale of consumer personal information, such as location, as part of the auction process so that advertisers can make location-targeted advertisements. The December 2024 settlement is consistent with the FTC’s other enforcement activity this year, which also focused on the sale of location data by data brokers without informed consent.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.