Photo of Jeffrey P. Taft

Jeffrey Taft is a partner in the Firm's Financial Services Regulatory & Enforcement group and the Cybersecurity and Data Privacy practice. His practice focuses primarily on bank regulation, bank receivership and insolvency issues, payment systems, consumer financial services and cybersecurity/privacy issues. He has extensive experience counseling financial institutions, merchants, technology companies and other entities on various federal and state banking and consumer credit issues, including compliance with the Bank Holding Company Act, National Bank Act, International Banking Act, Consumer Financial Protection Act, Truth-in-Lending Act, the Fair Credit Reporting Act, the Electronic Fund Transfer Act, the Equal Credit Opportunity Act, the Fair Debt Collection Practices Act, the Real Estate Settlement Procedures Act, state unfair or deceptive acts or practices statutes, CFPB's UDAAP authority and the development and implementation of privacy, cybersecurity and information security programs under the Gramm-Leach Bliley Act, the NYDFS cybersecurity regulation and industry standards, such as PCI DSS and NIST.

Read Jeff's full bio.

 

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls.

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and

On September 25, 2023, the Consumer Financial Protection Bureau (“CFPB”) began its most substantial Fair Credit Reporting Act (“FCRA”) rulemaking yet with an outline of proposed changes to Regulation V, which implements FCRA, ahead of the Bureau’s Small Business Advisory Review Panel.1  The proposals under consideration could have a substantial impact on the data

Oregon has joined 10 other states in enacting a comprehensive data privacy law.1 On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (the “Oregon Privacy Law”) into law. The law imposes a range of new data privacy requirements on non-exempt controllers and processors of Oregon consumer personal data. The Oregon

The New York Department of Financial Services (NYDFS) has proposed revisions to its cybersecurity regulation for banks, insurance companies and other financial services companies. The proposal significantly expands requirements for covered entities, including new requirements for larger companies, expanded governance requirements, additional notice and compliance certification requirements and more.

In this one-hour webinar, members of

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published updated proposed amendments to its cybersecurity regulation (the “2023 Proposal”) applicable to “covered entities.”1 Covered entities are any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking

On March 9, 2023, the Securities and Exchange Commission (“SEC”) announced that Blackbaud Inc. (“Blackbaud”) agreed to pay $3 million to settle charges for alleged misleading disclosures about its 2020 ransomware attack and for alleged disclosure control failures.1

Blackbaud, a South Carolina-based company that provides data management software to colleges, universities, and non-profit organizations,

Cybersecurity has become one of the biggest risks facing the financial services industry, and there have been extensive guidance and initiatives from US banking regulators to help ensure the safety of the institutions and the banking system. Some of the more recent regulatory requirements and other developments will have a significant impact on nonbank financial

As cybersecurity and privacy risks mount, financial services companies face new concerns about compliance and enforcement as well as the risk of business interruption and costly litigation. In this Cybersecurity Awareness Month program, our lawyers will discuss the recent regulatory developments from the New York Department of Financial Services (NYDFS) that are presenting real-world challenges

On March 29, 2022, the US federal banking regulators released instructions on how financial institutions should comply with recently adopted computer-security incident notification requirements.1 These instructions will assist financial institutions in satisfying their obligations under the new requirements once compliance is required on May 1, 2022.

Continue reading.

On February 9, 2022, the US Securities and Exchange Commission (SEC) voted to propose several new rules and amendments to existing rules that would significantly alter the current requirements for investment advisers and funds, with one proposal specifically focused on private funds and the other focused on cybersecurity.

Continue reading.