Businesses in the alternative lending space face unique cybersecurity challenges. Whether it be social security numbers, bank account information, debit and credit card data or other personal information, the very information that these businesses collect and maintain in order to conduct their everyday affairs is the exact type that hackers try to steal each day. If a business does fall victim to a breach, the costs can quickly pile up; expenses can include remediation, business interruption, forensic investigation, restoration of network operations, legal fees and of course, reputational harm. With those costs in mind, having a strong cybersecurity program simply makes good business sense. But it is not just good business sense that should be on the mind of companies that engage in alternative lending. There are both federal and state regulatory requirements that these companies must adhere to with respect to data privacy. 

For those companies looking to implement, or improve upon a cybersecurity program, understanding the regulatory framework in which they operate is vital. Such a framework should set the floor for these organizations’ cybersecurity practices, which can then be improved upon as needed. However, the regulators and legislators have not made it easy. There is currently no single federal or state law regulating the collection and use of personal data, nor is there a single rule governing the notification of consumers if a breach has occurred. Instead, companies must be cognizant of a patchwork of federal and state laws that regulate both data privacy and breach notification. For businesses engaged in alternative lending, awareness of the laws and regulations below is key to the maintenance of cybersecurity and data privacy best practices.

To view the full article, click here.