Privacy & Information Security Law Blog

The U.S. Government Accountability Office has launched an investigation into how retirement plan providers use data collected from 401k plan participants to engage in cross-selling of financial products.

On October 23, 2024, the UK government introduced the draft Data (Use and Access) Bill to the House of Lords. 

On October 21, 2024, the U.S. Department of Justice National Security Division issued a Notice of Proposed Rulemaking implementing Executive Order 14117 that will restrict certain transactions with high-risk countries.

On October 22, 2024, the Consumer Financial Protection Bureau finalized a rule concerning the portability of consumers’ personal financial data.

On October 15, 2024, the U.S. Court of Appeals for the Second Circuit vacated the dismissal of a proposed class action against the National Basketball Association under the Video Privacy Protection Act, holding that the named plaintiff successfully pled that he was a “consumer” protected by the Act by virtue of his subscription to the Defendant’s online newsletter.

On October 16, 2024, the Federal Trade Commission issued a final Click-to-Cancel Rule, also known as the Negative Option Rule, updating its existing regulatory scheme that requires sellers to make it as easy for consumers to cancel their subscriptions and memberships as it is to sign up in the first place. 

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an Industry Letter warning companies to update their AI security procedures around multifactor authentication, which are potentially vulnerable to deepfakes and AI-supplemented social engineering attacks.

On October 16, 2024, the European Data Protection Board announced it had adopted Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive following a public consultation.

On October 10, 2024, the Council of the European Union adopted the EU’s new regulation on horizontal cybersecurity requirements for products with digital elements.

October 17, 2024, is the final day for EU Member States to implement the necessary measures for transposing the NIS2 Directive into their national laws.