BCLP Banking Blog

Bank Bryan Cave

Data Privacy & Security

Main Content

Survey of Banks’ Privacy Practices

To help identify trends in privacy representations, Bryan Cave Leighton Paisner LLP reviewed the websites and privacy notices of Fortune 500 companies identified as primarily engaged in the banking and financial service sectors.

The following summarizes current industry trends: 

  • The vast majority of companies updated their privacy notices to account for the California Consumer Privacy Act (CCPA).
  • Financial institutions are complying with some, but not all, of the enumerated category disclosures required by the CCPA.
  • While only one financial institution stated that they sold personal information, one in five financial institutions failed to clearly articulate whether they did, or did not, sell data.
  • The vast majority of bank and financial institution websites do not include a “Do Not Sell” option.
  • The single financial institution that disclosed that it sold information did comply with the CCPA’s requirement to provide a “Do Not Sell” option.
  • Most banks and financial service companies offered access and deletion rights.
  • The average quantity of behavioral advertising cookies on a bank / financial service company homepage is 10.6.
  • Only one in twelve banks and financial institutions are deploying a cookie notice that seeks opt-in consent.
  • Increased use of adtech cookies negatively correlates to the deployment of an opt-in cookie notice.
Read More

GDPR Considerations for Community Banks

The May 25, 2018, compliance effective date of the EU’s General Data Protection Regulation (GDPR) is just weeks away, and many U.S.-based companies have at least by now taken stock of their EU customer base and operations, and developed a baseline set of compliance plans.  For many, that might only entail a data inventory and controls that would ensure that changes to the company’s business plan, advertising strategies, and physical footprint would be assessed for GDPR compliance in advance, just as with any other area of compliance.  However, for companies whose business relies upon the gathering and use of consumer data, the GDPR implementation process has been onerous.

In particular, as recent American Banker coverage has described, this compliance effort is hitting financial institutions of all sizes hard.  While the exact nature and magnitude of enforcement exposure is still unclear, U.S. banks should take a broad view of their overseas business – including where U.S. customers temporarily work or travel – in order to stay ahead of GDPR compliance issues.

For U.S.-based small businesses, including community banks, the conventional wisdom has focused on whether the institution solicits or services EU customers.  Unfortunately this approach may cause banks or other businesses to underestimate their potential exposure.

For purposes of the GDPR, compliance obligations for companies without a physical presence in the EU are generally only implicated if the company (1) offers goods and services in the EU or (2) monitors the behavior of EU customers (referred to affectionately as “data subjects” in the regulation).

Of particular concern for community banks is whether tourists, foreign work assignments, or overseas service members could cause the bank to become subject to GDPR obligations.

Read More

Data Privacy and Security Handbook – 2018 Edition

Bryan Cave Partner David Zetoony has just published the 2018 Edition of the Data Privacy and Security Handbook: A Practical Guide for In House Counsel.

Five years ago few legal departments were concerned with – let alone focused on – data privacy or security. Most of those that were aware of the terms assumed that these were issues being handled by IT, HR, or marketing departments.

The world has changed. Data privacy class action litigation has erupted and data security breaches dominate the headlines. It is now well accepted that data privacy and data security issues threaten the reputation, profitability, and, sometimes, the operational survival of organizations. It is therefore perhaps not surprising to find that in almost every survey conducted of boards and senior management, data issues rank as one of their three top concerns, if not their single greatest concern. With that backdrop, organizations increasingly look to general counsel to manage data privacy and security risks.

Read More

How Many Times Do We Have to Tell You Not to Open the Cat Video

Everyone has been in a movie theater when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door. Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

  • “Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”
  • “My good friend, the one who sends me those emails asking me to pass them along to three of my closet friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”
  • “Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”
  • “My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to doublecheck, I’m sure his email is legitimate.”

If you were in the movie theater you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit that keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the log in ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

Read More

Webinar: What In-House Counsel Should Know About Data Privacy and Data Security Issues in Big Data

March 12, 2015
Noon EDT


The term “Big Data” has become synonymous with the ability to rapidly analyze large volumes of data to predict outcomes and draw other insights. Big Data has grown exponentially as the insights reaped from data analysis have become crucial to the success of many companies. With this growth have come a number of data security and data privacy considerations and requirements for companies involved with big data. Join Jason Haislmaier of Bryan Cave LLP for a discussion of these considerations and requirements, including established and emerging legal standards, regulatory requirements, and best practices for data privacy and data security in a “Big Data” world.


Jason D. Haislmaier, Esq. is a partner in the Boulder, CO office of Bryan Cave LLP. Mr. Haislmaier represents emerging and established companies in technology and intellectual property transactions, with an emphasis on developing strategies for protecting, managing, and commercializing technology and intellectual property assets. He has developed a special area of expertise involving open source software licensing and compliance and works with clients in the U.S. and abroad to develop and implement open source software license compliance strategies. Mr. Haislmaier, who frequently lectures on topics involving open source software, cloud computing and other areas of intellectual property, is currently the Board Chair of the Silicon Flatirons Center for Technology and Entrepreneurship, Intellectual Property & Information Technology, and he has been recognized in Colorado Super Lawyers, 2011–2013 and The Best Lawyers in America 2014.

Read More

Data Privacy and Security Team to Discuss Anthem Data Breach

Bryan Cave’s Data Privacy and Security Team will hold a  teleconference on Friday, February 6, to discuss the impact of the Anthem Data Breach on firm clients.  Topics include:

  • What information is known,
  • What information is not known,
  • How the breach might impact employees, and
  • What steps companies should consider taking.

The teleconference will be held tomorrow, Friday, February 6, 2015, at 1 ET / 12 CT / 11 MT / 10 PT, and is open to any firm client.

If you would like to join the conference, please send an email to Audrey.Brekel@bryancave.com and she will provide the dial-in information.

David Zetoony is the leader of the firm’s Data Privacy and Security Team.

Read More

Risk of Loss Allocation for Fraudulent Wires in the Business Setting

Back in the days when “phishing” was just something your spell checker changed back to “fishing,” everyone thought they understood how the risk of loss was apportioned between a bank and its customers if a third party fraudulently obtained money from someone’s deposit account. With few exceptions, the risk of loss was born by someone else besides the bank customer. Fast forward to today when there are so many different ways for bank customers to move money in and out of their accounts besides just a paper check.  Several years ago the drafters of the UCC adopted a brand new Article 4A to address the dramatic increase in wire and other electronic transfers between commercial accounts.

Article 4A continues the traditional risk allocation framework in that unless certain exceptions exist, the bank bears the risk of loss for fraudulent transfers from a commercial deposit account. The major exception is where the bank and its customer have agreed upon certain commercially reasonable security procedures. In that instance the risk of loss for fraud will reside with the customer if the bank proves that it accepted a fraudulent payment order (1) in good faith, and (2) in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. Further, if a bank has established security procedures that a customer has declined to use, and the customer instead agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable.

A recent decision from the 8th US Circuit Court of Appeals,  Choice Escrow and Land Title, LLC v. Bancorp South Bank,  applied the provisions of Article 4A to what is becoming a common occurrence today. An employee of Choice clicked on an attachment to an email, which then placed a computer virus on their computer system. Over a period of time the virus gave an unknown third party access to the employee’s username and password and allowed the third party to mimic the computer’s IP address and other characteristics. The thieves wired out $440,000 to an account in the Republic of Cyprus. Suffice it to say that when money is fraudulently transferred to an account in the Republic of Cyprus, it never comes back. The customer demanded that the bank reimburse it for the loss and the bank refused. The matter ended up in litigation in federal court.

Read More

June 2012 Client Alerts

What do video game, music, and free online telephone networks have in common?  If your employees use them they can lead to a FTC data security investigation.

Although the days of Napster and Gnutella may be over, the technology upon which those applications were based — peer-to-peer networks or “P2P” — is alive and well in modern-day programs that share video games and music.  As two recent Federal Trade Commission enforcement actions illustrate, companies that permit employees to use P2P applications — either knowingly or unknowingly — may face government investigations and possible liability.  To learn more, please click here to read the Bulletin published by the Data Privacy & Security Team on June 19, 2012.

FTC Cracks down on the Collection of Social Media Data For Employment Decisions

A survey released this year indicates that in some industries almost 40% of employers reviewed job candidates’ profiles on social media sites before making employment decisions.  Ordering a candidate’s social media history is, in many companies, becoming as routine as ordering a credit report or background check.  Most employers do not realize, however, that the Federal Trade Commission has taken the position that social media reports share something else with credit reports — they are covered under the privacy protections of the Fair Credit Reporting Act.   In June the FTC filed a lawsuit in the Central District of California against a company which marketed social media reports to employers to use as “a factor in deciding whether to interview a job candidate or whether to hire a job candidate after a job interview.”  To read more, please click here to read the Bulletin published by the Data Privacy & Security Team on June 14, 2012.

Record Settlement in a Sanctions Case Reached by ING Bank, N.V.

On June 12, 2012, ING Bank, N.V. settled alleged violations of U.S. trade sanctions with the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) for a record $619 million penalty.  ING Bank’s violations of OFAC sanctions involved more than $1.6 billion worth of funds that were unlawfully routed through the United States despite U.S. sanctions.  To learn more about the allegations against ING Bank and the Settlement Agreement reached, please click here for the International Regulatory Bulletin No. 497 published June 13, 2012 by the International Trade Group.

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.