FTC Amends Safeguards Rule to Expand Notification Requirements for Data Breaches and Information Security Events

On October 27, 2023, the FTC announced amendments to its Safeguards Rule requiring non-banking financial institutions—such as mortgage brokers, accountants, investment advisers, car dealers, and payday lenders—to maintain comprehensive information security programs and report breaches involving unencrypted data of 500 or more consumers within 30 days. The amendments, effective 180 days after publication, aim to enhance transparency and incentivize stronger protection of sensitive consumer financial information.

Law Firm Faces Off Against Carrier/Client for Data Breach

Law firms increasingly face an unexpected adversary after a data breach: the insurance carrier whose insureds they represent, particularly when post-incident investigation and notice decisions diverge. A recent federal lawsuit highlights how cybersecurity preparedness, response planning, and timely communication are now central professional risks that demand clearer expectations and closer coordination between carriers and defense counsel.

Standing in Data-Breach Cases – Risk of Future Injury Remains Unsettled: SCOTUS Skirts Apparent Circuit Conflict

In a pivotal moment for data-breach litigation, the U.S. Supreme Court denied a cert petition in CareFirst v. Attias, leaving unclear whether plaintiffs may claim standing based on potential harm. This ruling emphasizes the difficulty of proving injury in data breach cases, where personal information can be compromised without actual harm. As circuit courts diverge, the implications for identity theft claims remain uncertain.