Microsoft has announced that beginning April 8, 2014, its Windows XP operating system will no longer be updated with security patches. This announcement has critical data security implications for financial institutions whose electronic records include personally identifiable information.

Since Windows XP was released in 2001, Microsoft provided user support that included issuing routine security patches that protected against weaknesses revealed by a cyberattack, virus, or other intrusions. When Microsoft stops providing this support, computer systems running on Windows XP will not cease to work, but they will stop receiving these crucial security updates.

What does this mean for businesses and financial institutions?

As of April 8, computers running the Windows XP operating system may become more vulnerable to attack. This means that the use of a computer that runs on Windows XP to process, store, or transmit personally identifiable information that is subject to data security legal requirements—such as regulations implementing the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act—could quickly lead to legal risk or possibly a violation.

Federal and state regulators have already begun to warn about these potential risks. For example, the Washington State Department of Financial Institutions (DFI) announced that it will consider all Internet-connected Windows XP devices a serious security risk. The DFI said it will not accept any electronic information, data, or documents that have been created or stored on a device running Windows XP after April 8. The announcement signals that storing, processing, and transmitting data on Windows XP machines could open an organization up to state regulatory scrutiny as well.

Currently, Windows XP runs on roughly 20 percent of the world's desktop computers and is the base software used to operate many ATMs. It is estimated that more than 4 million federal government computers still use Windows XP. The end of Windows XP security updates raises a concern that hackers may be able to gain access to otherwise protected networks via a Windows XP computer and then use that access to reach the broader network. In other words, even if some of an organization's computers are running Windows XP after April 8, all of its systems may be susceptible to an attack.

What can you do to protect your organization?

  • Map your data systems and review your network to identify where personally identifiable information, whether it belongs to customers or employees, is stored, transmitted, or processed.

  • Replace any computer running Windows XP with an upgraded computer or operating system as close to April 8, 2014, as possible.

Ballard Spahr attorneys can help clients make decisions about how to prioritize their data configurations and to structure their networks and use of cloud-based services to optimally comply with applicable law and industry best practices.

Our Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products, its experience with the full range of federal and state consumer credit laws, and its skill in litigation defense and avoidance (including pioneering work in pre-dispute arbitration programs).

Members of the Group who are also part of the Privacy and Data Security Group help clients navigate the many laws designed to safeguard health, financial, and other private information. In addition, they help clients respond to security breaches.

For more information, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or, Mortgage Banking Practice Leader John D. Socknat at 202.661.2253 or, or Lauren McDermott at 202.661.7681 or

Copyright © 2014 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.


Related Practices

Consumer Financial Services
Privacy and Data Security

Bank Regulation and SupervisionMortgage Banking


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >