As our society evolves over to a more digital world, it is important to take a step back and review what we are putting online. Recently, data breaches have become a common occurrence in our day-to-day lives. In 2016, personal information from about 25 million Uber customers and drivers in the United States. The notorious website for individuals seeking extra marital affairs, Ashley Madison, has itself fallen victim to a data breach. The hacker dumped 9.7 gigabytes of data into/onto the dark web. The data released in the Ashley Madison breach included names, passwords, addresses, and telephone numbers of users who created an account on the site. When data breaches like these happen, the Federal Trade Commission (FTC) steps in to protect the United States consumers by investigating the source of data breaches and prosecuting hackers.
As a part of the large and cumbersome Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”), Section 1071 was enacted to amend the Equal Credit Opportunity Act (15 U.S.C. 1691 et. seq.) to impose data collecting requirements on financial institutions. Pursuant to Section 1071 (the “Rule”), financial institutions are required to compile, maintain, and submit to the Consumer Financial Protection Bureau (“CFPB”) certain information concerning credit applications by women-owned, minority-owned, and small businesses. The Rule was not slated to go into effect until the CFPB issues necessary implementing regulations. Unfortunately, nearly 8.5 years later, there is still no guidance. Consumers and financial institutions alike are at a sort of standstill, unclear on the contours of its reporting requirements. In November of 2019, the CFPB published a letter to financial institutions promising to develop rules “expeditiously;” the CFPB later hosted an information-gathering symposium on the Rule, yet there is still no clear guidance.