Is the Roof on Fire? Data Privacy Risk in the Financial Services Industry

Compliance is difficult, and litigation and enforcement risks are high for financial services companies. Navigating a Proustian rulebook, it’s impossible to get everything right all the time.

Legal and compliance work in financial services is like maintaining an old house. Over time, some things inevitably need repair. Your job as the homeowner is to figure out what needs to be fixed ASAP and what can proceed at a reasonable pace until your contractor has more time in the spring.

Some issues are loose floorboards in the guest bedroom. Others are red-hot dumpster fires burning right outside your room.

Where do cybersecurity and privacy litigation and enforcement risks fit into this picture? Let’s review some of the main pitfalls:

1. Securities regulators
2. Securities litigation
3. Privacy regulators
4. Consumer class action litigation

As you would expect, the risks here are most pronounced for retail financial services companies, but significant risks also remain for enterprise-facing companies and managers handling institutional money. (Direct crime-related losses—think ransomware and fraudulent funds transfers—are also a big deal, but that’s a story for another day.)

After walking through the risks, I’ll give you a few DIY bathroom remodeling hacks insurance tips so you have a plan if you find some leaks.

Risk #1: Securities Regulators

In recent years, the Securities and Exchange Commission  (SEC) and Financial Industry Regulatory Authority (FINRA) have been policing registered investment advisers and brokers who have had problems protecting customer information.

The key rules here are Reg S-ID and Reg S-P. From a pure financial exposure perspective, the risk from these types of cases isn’t especially high, but it has been rising in recent years. Proposed amendments to Reg S-P (see below) create new data breach notification requirements and provide new enforcement hooks.

Reg S-ID (Identity Theft Red Flags)

Reg S-ID says that asset managers, brokers, funds, and other financial services entities who handle accounts for “personal, family, or household purposes” must maintain an appropriately designed identity-theft program.

To pass muster, the program needs to include reasonable and periodically updated policies and procedures to identify red flags for covered accounts, incorporate those red flags into the program, detect red flags that have been incorporated, and respond appropriately to any red flags that are detected.

Since Reg S-ID was passed in 2013, SEC Enforcement has only brought a handful of cases, mostly against entities dually registered as investment advisers and broker-dealers, and mostly in 2022:

• Voya Financial Advisors ($1 million penalty; independent compliance consultant; included Reg S-P charges; 2018)
• TradeStation Securities ($425,000 penalty; voluntarily hired compliance consultant; 2022)
• UBS Financial Services ($925,000 penalty; voluntarily hired compliance consultant; 2022)
• JP Morgan ($1.2 million penalty; voluntary remediation; 2022)

Reg S-P (Privacy Rules)

Reg S-P, which has been around for more than 20 years, requires investment advisers, funds, and brokers to adopt written policies and procedures to protect customer records and information (the Safeguards Rule) and to properly dispose of consumer report information (the Disposal Rule).

Enforcement of Reg S-P violations has been sporadic, but there have been some concerning recent signals:

• Voya Financial Advisors (see above)
• KMS Financial Services (Safeguards Rule; $200,000 penalty; 2021)
• Cetera Advisor Networks (Safeguards Rule; $300,000 penalty; 2021)
• Cambridge Investments (Safeguards Rule; $250,000 penalty; 2021)
• Morgan Stanley (Safeguards and Disposal Rule; $35 million penalty; 2022)

In March 2023, the SEC proposed amendments to Reg S-P. If adopted, they would create new data breach notification requirements.

Disclosure Issues

In 2023, the SEC turned up the heat on cybersecurity for all public companies with new disclosure rules and an enforcement action against SolarWinds and its CISO. Going forward, public financial services companies will be under the microscope. 

Risk #2: Securities Litigation

When significant data breaches happen at public companies, plaintiffs’ lawyers are sure to be sniffing around to see if there is a potentially viable securities class action.

The theory in these cases is that a company said misleadingly sunny things about its cybersecurity controls and/or suggested an absence of past material data breaches, and that the “truth was revealed” when a bad data breach was later publicized.

There have been some big wins for the plaintiffs’ bar in the past, including the Yahoo and Equifax cases; there have also been many dismissals. (Also note that there have been several shareholder derivative cases filed against directors in this space.)

Generally, publicly traded financial services companies should be no more or less vulnerable to cyber-related securities litigation than any other company. See below for a couple of recent examples. 

• Capital One: After an enormous data breach (records of more than 100 million customers), shareholders alleged that the bank lied to them “by publicly extoling their security program while sacrificing adequate cybersecurity in favor of operational convenience.” The case centered on the bank’s optimistic statements about its cybersecurity program. The judge decided that these statements were non-actionable puffery and dismissed the case. (A data breach class action did not end so well for the bank; see below).
• Block: Shareholders sued payments company and brokerage Block, Inc. (formerly Square) over a 2021 data breach perpetrated by an insider that exposed the data of about 8 million customers. The securities class action is typical of its kind (see above); it remains pending as of this writing.

For more on recent securities litigation trends, read Woodruff Sawyer’s latest report, Securities Class Action Trends for 2023: Not a Repeat of Year 2022.

Risk #3: Privacy Regulators

Let’s leave the realm of securities lawyers and turn to core privacy and cybersecurity regulatory risks.

Depending on the specific financial services businesses you are in, there are many ways you can be dinged by data privacy regulators. I’m going to group these into two broad (and overlapping) buckets:

1. Laws focused on the financial services industry
2. Industry-agnostic data privacy laws

In the first category, non-compliance with the Gramm-Leach-Bliley Act (GLBA) carries some financial risk. And, for banks, the Office of the Comptroller of the Currency (OCC) likes to swoop in to extract fines when big data breaches take place.

In the second category, the Federal Trade Commission (FTC) carries what can be a big stick in the FTC Act. But we haven’t seen too many big splashy actions brought by the FTC against financial services companies (banks are exempted, but others are not).

State regulators continue to noodle around in this space—and, with enforcement of the California Privacy Rights Act scheduled to begin in 2024, state risks will increase. While most state privacy laws exempt records already covered by GLBA, this doesn’t fully insulate financial services companies from state risk.

Risk #4: Consumer Class Action Litigation

When you discover a potential data breach, your initial focus will be a robust incident response process. (During this process, by the way, make sure to keep your insurance advisor in the loop and the terms of your cyber policy front of mind so you maximize coverage.)

Once you have stopped the bleeding, from a financial exposure perspective, you may begin having nightmares about a potential data privacy class action. Here are some prominent recent cases against financial services companies:  

• Capital One: While a securities class action was a bust for plaintiffs (see above), the data privacy class action against Capital One resulted in a $190 million settlement. Given that more than 100 million customers were affected, this actually seems like a pretty good result for the bank.
• MoveIt: In 2023, after hackers exfiltrated data using an exploit in popular file transfer software, lawyers looking for deep pockets sued many of the companies that had used the software. Defendants in pending cases include financial services giants like Prudential, Charles Schwab, Fidelity, and Bank of America. Keep an eye out for future claims involving breaches at third-party service providers.

Insurance Coverage for Cyber Investigations and Litigation

If you are extremely well-prepared and quite lucky, none of these litigation and enforcement risks will ever materialize for you. If you are unlucky, all is not lost! If you have a well-designed cyber policy, insurance should provide some critical support.

A typical cyber insurance policy responds to both first-party and third-party costs associated with a data breach.

• Common first-party coverages include direct incident response costs such as forensics, legal, data replacement, extortion, and public relations.
• Common third-party coverages include litigation and privacy regulatory defense, fines, and penalties. Keep an eye on exclusions.

Expert insurance advice matters here. Your coverage and limits should be tailored to the specific types of data that you maintain and mapped to your unique business practices and regulatory risks.

For example, if you are a registered broker-dealer or investment adviser, how (if at all) will your coverage perform in the event of an SEC investigation focused on Reg S-ID or Reg S-P?

If a third-party vendor maintains your sensitive customer data, but you do not maintain it on your servers, how should you be thinking about that risk?

Think about it this way: If you wake up one day and find your house engulfed in flames, you want the Hotshots, not the bucket brigade.