Data Protection Commission Ireland’s Post

THE DIGITAL PERSONAL DATA PROTECTION ACT (DPDP), 2023 and its implications for Financial Institutions. 🔒 🛡️ Special Provisions (Financial Institutions): 🏦💰 Let us explore a situation where a person or Data Principal has borrowed money from a Bank or is obligated to pay a sum of money to the Data Fiduciary (Bank). 🧐🤔 (i) Mr./Ms. X, an individual, obtains a loan from Y Bank. 🏦💰 (ii) Mr./Ms. X fails to fulfill their financial obligation by neglecting to make the scheduled monthly loan repayment installment on the due date. 💸💰 (iii) In such situations, Y Bank may respectfully process the personal data of X to ascertain their financial information, assets, and liabilities. 💰 ⚖️ The purpose of this processing is to determine the financial information, assets, and liabilities of any individual who has failed to make payments on a loan or advance obtained from a financial institution. 💸 However, this processing must adhere to the provisions outlined in any other applicable laws regarding the disclosure of information or data. ⚖️ For more information, please refer to the provided link. 🌐 https://lnkd.in/dxykqSve

In 2023, there was a significant increase in data breaches. During the second quarter, more than 110 million accounts were compromised, a remarkable 2.6 times greater than the number of breaches in the first quarter of 2023. Research indicates that the average cost of a data leak has now reached $4.45 million, which encompasses direct expenses like fines and legal proceedings, as well as indirect costs such as reputational damage. However, there is positive news. The causes behind these breaches are frequently minor and within your control. Businesses can effectively manage these risks and protect themselves from potential data and financial losses. So, let's delve into the most common reasons for data leaks and explore some strategies to handle them.

The CFPB has been keeping busy these days and now has its sights set on expanding regulation of data brokers' activities (particularly with regard to the sale of consumer data). My colleagues and I share our insights on what may be coming down the pike in our recent client alert. Click on the link below to read more! #MayerBrown #Privacy #CFPB #databrokerwoes #FCRA

*** 30 Day data breach notification *** New rules from the Security Exchange Commission. The SEC has adopted amendments to Regulation S-P that will require certain financial institutions to notify customers within 30 days if they have a data breach. The organizations impacted by these amendment are: * broker-dealers (funding portals included), * investment firms, * registered investment advisers, * transfer agents. Here are the updates: 1) Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization, detailing the incident, breached data, and protective measures taken. Exemption applies if the information isn't expected to cause substantial harm or inconvenience to the exposed individuals. 2) Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information. This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers. 3) Expand safeguards and disposal rules to cover all nonpublic personal information, including that received from other financial institutions. 4) Require documentation of compliance with safeguards and disposal rules, excluding funding portals. 5) Align annual privacy notice delivery with the FAST Act, exempting certain conditions. 6) Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies. You can read the SEC fact sheet here on ComplianceWeek.com #SEC #Regulation #databreach #compliance https://lnkd.in/dYU_W2TB

In 2023, there was a worrisome increase in data breaches. In the second quarter, more than 110 million accounts were compromised, which is a shocking 2.6 times higher than the number in the first quarter. Recent findings indicate that the average cost of a data leak has now reached $4.45 million, encompassing both direct expenses like fines and legal proceedings, as well as indirect consequences such as reputational damage. The positive news is that the causes of these breaches are often minor and within your control. Businesses can easily reduce risks to protect themselves from data breaches and the resulting financial losses. So, what are the most common causes of data leaks and how can they be effectively managed? Let's delve into it.

SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information The Securities and Exchange Commission today announced the adoption of amendments to Regulation S-P to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions. The amendments update the rules’ requirements for broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”) to address the expanded use of technology and corresponding risks that have emerged since the Commission originally adopted Regulation S-P in 2000. “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” The amendments require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The amendments also require that the response program include procedures for, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The amendments require a covered institution to provide notice as soon as practicable, but not later than 30 days, after becoming aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notice must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. The amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply. For more information please go to sec.gov #investorprotection

I spent some time reflecting on APRA’s views on data quality and governance and what lessons can be learnt by Australian businesses. Check out my thoughts in this blog!

The Securities and Exchange Commission has updated its rules governing the way financial institutions treat consumers’ private personal information, adopting amendments requiring firms to notify investors after data breaches. (quoted from the article) The SEC announced Thursday that it modernized and enhanced Regulation S-P, which requires certain firms to notify customers about how the institutions use their nonpublic personal information. The new amendments update the rules’ requirements for broker-dealers, investment companies, registered investment advisors and transfer agents and others, addressing the expanded use of technology and corresponding risks that have emerged since the SEC adopted Regulation S-P in 2000. “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” The amendments require financial institutions to develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from hacks into client data. They also stipulate that these response programs provide notice to individuals whose sensitive customer information was or was reasonably likely to have been accessed or used without authorization. The amendments require a covered institution to provide notice as soon as possible and no later than 30 days after becoming aware that an incident involving a customer-data hack has occurred. The notice must include details about the incident, the breached data and how affected individuals can respond to protect themselves. The amendments will become effective 60 days after publication in the Federal Register. Larger institutions will have 18 months after the publication date to comply with the amendments, while smaller entities will have 24 months. #databreach #cyberincident #incidentreporting #clientnotification https://lnkd.in/gpq45e4a

The SEC has introduced important updates to Regulation S-P, mandating that financial institutions notify individuals within 30 days if their sensitive information has been compromised. This change aims to enhance the protection of personal financial information and ensure prompt communication following a data breach. Financial firms, including brokers, investment firms, and transfer agents, must now inform affected individuals about the breach, the type of data involved, and the measures taken to protect them. An exemption exists if the breach is unlikely to cause significant harm or inconvenience. Additionally, financial institutions are required to establish and maintain detailed incident response plans. These plans should include steps for detecting, responding to, and recovering from unauthorized data access. They must also expand their data protection measures to include all personal information, even that received from other financial entities. Compliance with these rules must be documented, and annual privacy notices are now aligned with the FAST Act. These updates aim to bolster the security of financial information and provide clearer guidelines for financial institutions on managing and reporting data breaches.

Responses to the CFPB’s call for comments on its proposed implementation of Section 1033 reveal the deep divide between the data providers and aggregators. While there is definite agreement about the objectives of the proposed Section 1033 amendment, our analysis of the over 11,000 comments received by CFPB highlights 7 areas of conflict that the regulator will need to navigate:   1. Immediate or gradual phasing out of screen scraping   2. Data provision for free, or a fee?   3. Inclusion of payment initiations in covered data   4. Safe harbor on liability over privacy and data security   5. Who conducts customer authentication and authorization   6. Dimensions of data coverage (for example, only historical or upcoming transactions too?)   7. Interpreting consent for secondary data usage I cover these insights in more detail in my @Zeta blog https://lnkd.in/gd4AMqtN. Would love to hear more from banking and credit union individuals following this regulation closely. Which are the top issues that you’re tracking, and how are you preparing for implementation? #nextgenprocessing #