U.S. Supreme Court Tightens Standing Requirements in TransUnion Decision

On June 25, 2021, the Supreme Court of the United States handed down its decision in TransUnion LLC v. Ramirez, which tightened the Court’s requirements for showing standing and will significantly affect class action litigation, particularly in cases involving causes of action created by federal statute or involving allegations of a potential risk of injury.

(more…)

FCA Letter to E-Money Institutions: Why All UK Payment Service Providers Should Review Their Marketing Practices Now

On May 18, 2021, the UK Financial Conduct Authority (FCA) published a “Dear CEO” letter (the Letter) asking e-money institutions to ensure that their customers understand how their money is protected. The FCA has expressed concern that e-money institutions do not adequately disclose the differences in protections between e-money and bank accounts and that customers are not aware of the differences in protections between e-money services and traditional banking services, in particular that the UK Financial Services Compensation Scheme (FSCS) protection does not apply to e-money accounts.

(more…)

Sidley Welcomes Former-CFPB Enforcement Director Tom Ward

Sidley is pleased to announce that Thomas Ward, who previously served as Enforcement Director at the Consumer Financial Protection Bureau (CFPB), has joined the firm as a partner in the Banking and Financial Services Group in Washington, D.C. As the CFPB’s chief law enforcement officer, Tom was responsible for enforcing more than 20 enumerated consumer financial statutes and the Consumer Financial Protection Act. He established and supervised the strategy in hundreds of active investigations and cases prosecuted by the CFPB’s Office of Enforcement and managed the agency’s 165 enforcement trial lawyers, investigators, and staff. Under his leadership, in 2020, the CFPB brought the second highest number of enforcement actions since its inception, secured its fourth highest amount of redress, prosecuted its largest and most complex litigation docket, and recommitted to enforcing the Fair Lending laws, including filing the first contested Fair Lending action in the CFPB’s history.

(more…)

DOL Puts Plan Sponsors and Other Fiduciaries on Notice: ERISA Requires Appropriate Precautions to Mitigate Cybersecurity Threats

There just may be a new cybersecurity regulator in town.

In an effort it describes as “an important step” toward safeguarding more than $9.3 trillion in retirement assets, the U.S. Department of Labor (DOL) published its first cybersecurity guidance last week (Cybersecurity Guidance). The Cybersecurity Guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) as well as plan participants and beneficiaries.  Significantly, the Cybersecurity Guidance formally states the DOL’s position that cybersecurity is a matter of fiduciary responsibility under ERISA, stating that ERISA requires plan fiduciaries to take appropriate precautions to mitigate cybersecurity risks.

(more…)

East Coast Meets West Coast: Enter the Virginia Consumer Data Protection Act

For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).

The VCDPA, which will not enter into effect until January 1, 2023, borrows heavily from the California Consumer Privacy Act (CCPA) and the European Union (EU) General Data Protection Regulation (GDPR). Perhaps because Virginia was able to benefit from the experience of businesses that have spent the better part of the last five years implementing the GDPR or the CCPA, the Virginia law is less prescriptive and more straightforward than its predecessors, with (one would hope) a correspondingly lighter implementation burden on companies. Nonetheless, there is just enough different in the VCDPA that businesses with a connection to Virginia will need to evaluate whether the law applies to them and how they will comply.

While an exegesis of the VCDPA is beyond the scope of today’s Data Matters post, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the post briefly summarizes the law’s key elements.

(more…)