State and federal regulations both prohibit financial institutions from making certain commercial uses of consumer personal information (and give consumers certain rights with respect to the use of that information) and require financial institutions to take affirmative steps to safeguard the information that they do maintain from third-party bad actors. These two types of requirements overlap substantially in that many of them are embodied in the same public laws, statutory provisions and rules (including the Fair Credit Reporting Act and Title V of Gramm-Leach-Bliley), we attempt to deal with them separately. As to consumer rights to privacy, see the topic page titled Customer Privacy.
This page primarily concerns the obligations of institutions to safeguard information from bad actors, including to dispose of it properly and to provide notice to consumers and regulators in the event of a data breach. Over time, the requirements imposed on financial institutions have become both more extensive and more specific. Section 501 of GLB contains an essentially brief directive that financial institutions must adopt "administrative, technical, and physical safeguards" to "insure the security and confidentiality" of customer information, "protect against any anticipated threats or hazards" and protect against unauthorized access" to this information. By contrast, the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies describes in very substantial detail the scope of a required "Cybersecurity Program," which must include the ability to assert risks, the use of defensive infrastructure, an ability to detect and respond to Cybersecurity Events, to recover from such events, and to notify the regulatory authorities in the case of a bad event. From there, the NY DFS becomes even more detail requiring the appointment of a Chief Information Security Officer, annual reports to the board, penetration testing, vulnerability assessments, and so on.