Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS circulates advisory on file transfers

    Privacy, Cyber Risk & Data Security

    On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).

    Privacy, Cyber Risk & Data Security State Issues State Regulators NYDFS Department of Homeland Security 23 NYCRR Part 500 Consumer Protection Act

  • Agencies crack down on deceptive Covid-19 treatment claims

    Federal Issues

    On March 3, the FTC, along with the DOJ and FDA, filed a lawsuit against a New York-based marketer of herbal tea for allegedly claiming its tea was clinically proven to treat, cure, and prevent Covid-19. The announcement reiterated the agencies’ commitment to cracking down on companies that unlawfully market unproven Covid-19 treatments. According to the joint agency complaint, the defendants’ deceptive marketing claims that their herbal tea product is capable of preventing or treating Covid-19 (and is more effective than Covid-19 vaccines) are not supported by competent or reliable scientific evidence and pose “a significant risk to public health and safety.” Moreover, the defendants have allegedly repeatedly ignored FTC and FDA warnings that their deceptive advertising and misrepresentations violate the FTC Act, the Covid-19 Consumer Protection Act, and the Federal Food, Drug, and Cosmetic Act. The complaint seeks permanent injunctive relief, civil penalties, and other remedies to prevent the harms caused by the defendants’ deceptive misrepresentations.

    Federal Issues FTC DOJ FDA Enforcement Covid-19 FTC Act UDAP Consumer Protection Act

  • FTC says ISPs provide limited protections for consumer data

    Federal Issues

    On October 21, the FTC reported that internet service providers (ISPs) are able to gather and share large pools of sensitive consumer data while providing limited privacy protections. According to an FTC staff report, ISPs’ data collection and use practices allow them to monitor and record their customers’ every online move, granting them the ability to collect large amounts of information without their customers’ knowledge. The FTC launched the internet privacy study in 2019 under Section 6(b) of the FTC Act and analyzed information from six major ISPs, which comprise roughly 98 percent of the mobile internet market. Three advertising affiliates associated with the ISPs were also asked to provide information on their data collection and use practices. The report found, among other things, that ISPs typically collect and share more customer information than is necessary to provide ISP services. According to the report, some ISPs collected personal information to market products and services, serve targeted ads on behalf of third parties, or share insights into customers’ behaviors with other businesses. The report also found that customers are often placed into categories by “race, ethnicity, sexual orientation, economic status, political affiliations, or religious beliefs,” and that ISPs often share real-time location data with third parties.

    Additionally, the report found that while several ISPs tell customers their personal information will not be sold, the companies’ privacy notices obscure other ways personal data can be used, transferred, or monetized by other parties, and “often bury[] such disclosures in the fine print of their privacy policies.” The report further explained that many customers are often confused about how to opt-out of or limit ISPs’ data collection, adding that while several ISPs promise to retain data only for as long as needed for a business reason, the definition of what constitutes a “business reason” varies widely.

    Chair Lina M. Khan issued separate remarks, emphasizing that the report’s finding are “striking” and “underscore deficiencies of the ‘notice-and-consent’ framework for privacy, especially in markets where users face highly limited choices among service providers.”

    Federal Issues FTC Privacy/Cyber Risk & Data Security Consumer Protection Act

  • FTC brings first action under Covid-19 Consumer Protection Act

    Federal Issues

    On April 15, the FTC announced a civil complaint filed by the DOJ on its behalf, against a St. Louis-based company and its owner for violating the Covid-19 Consumer Protection Act and the FTC Act by making deceptive marketing health claims about their products. (See also DOJ press release here.) This is the first action the FTC has brought under the new law, which makes it unlawful under Section 5 of the FTC Act “for any person, partnership, or corporation to engage in a deceptive act or practice in or affecting commerce . . . that is associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19” or “a government benefit related to COVID–19.” The FTC’s complaint alleges that the defendants deceptively marketed their products as being an effective treatment for Covid-19 based on the results of certain scientific studies, even though they “lacked any reasonable bases” for their claims. According to the FTC’s announcement, the defendants also allegedly advertised—without scientific support—that their products were equally, or more, effective than the currently available vaccines. The FTC seeks an injunction against the defendants, along with monetary penalties and other civil remedies to prevent harm caused by the defendants’ misrepresentations.

    Federal Issues FTC Department of Justice UDAP Deceptive Enforcement Consumer Protection Covid-19 Consumer Protection Act

Upcoming Events