top of page


Privacy and Security

Financial services providers are required to comply with several information privacy and security regulations. Regulators have sought to protect consumers from growing privacy and security risks, including data breaches that may result in identity theft and financial loss.


In 2017, 8.6% of all data breaches involved financial services firms totaling 146.5M records. Of those breaches, nearly half were due to hacking by outside parties as opposed to unintended disclosures or other breaches. This makes financial services providers among the highest risk entities for cyber attacks behind healthcare providers.


Regulatory Overview

The Gramm-Leach-Bliley Act (GLBA) requires financial services providers to comply with the information privacy and safeguard rules of 16 CFR 313-314, as enforced by the FTC. Additionally, the SEC routinely brings enforcement actions against financial professionals for privacy and security violations, which may be in addition to sanctions imposed by FINRA. Recently, the CFPB has also brought enforcement actions against financial services providers for security failures under its Dodd-Frank authority.


Because GLBA does not preempt stricter state laws, state attorneys general may also bring separate civil and criminal actions against financial services providers. This does not include state actions for failing to comply with state breach notification laws or civil lawsuits brought by aggrieved parties following a data breach.


Other federal, state, and international laws may also apply to financial services providers as commercial entities. Such rules include CalOPPA, CAN-SPAM, GDPR, and the forthcoming California Consumer Privacy Act (CCPA) to take effect in 2020.


Potential Risks

  • Financial penalties of up to $100k per violation under GLBA

  • Imprisonment for up to 5 years under GLBA

  • Fines and sanctions by the FTC, SEC, and CFPB

  • Professional sanction by FINRA (including loss of licensure)

  • Sanction by state regulatory authorities

  • Civil and criminal actions by state attorneys general

  • Civil actions by aggrieved parties

  • Damage to reputation

  • Disruption to services

  • Loss and corruption of client information

  • Costly breach response, forensic analysis, and remediation

Risk Mitigation

Financial services providers should take proactive steps to reduce their risks. Small firms and solos should especially consider the consequences of a data breach. There are reasonable measures firms can take. The key is identifying threats, closing vulnerabilities, and shoring up compliance gaps.


A good risk mitigation strategy must consider both the regulatory and broader privacy and security issues that create exposure. Firms should employ a holistic approach that recognizes compliance, privacy, and security as interdependent concepts, as not all regulations apply to all entities and meeting minimum compliance standards does not eliminate all risk.


Sensible risk management involves implementing thoughtfully tailored policies, procedures, and physical and technical safeguards. The starting point is identifying your firm’s specific challenges and focusing on the issues that pose the greatest risk. Even a relatively small amount of well-concentrated resources can have a sizeable impact.


Privacy and Security Management Plan

Financial services providers should develop and adopt a comprehensive information management plan. The plan should address all applicable laws and regulations as well as other privacy and security risks impacting the business.


Affordability and practicability are central considerations for small firms and solos. Solutions should be scaled to fit your business. Hollow compliance exercises may not be sufficient if the objective is to meaningfully improve your privacy and security posture and fully protect your legal interests.


Plan Elements

  • Regulatory review

  • Compliance assessment

  • NIST SP800-30 risk assessment

  • *Cybersecurity vulnerability test (recommended)​

  • Information Management Plan

    • Policies and procedures

    • Information controls​

    • Training

    • Auditing

    • Review

  • Vendor security

  • Contingency plan

  • Breach response plan

  • Insurance review


*Performed by expert cybersecurity consultant at the direction of counsel

bottom of page