Category: Corporate Governance

The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses.  These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access.  Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware.  This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.

As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.

It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.

That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.

Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.

In a post-Equifax environment, state-level data security regulation is on the rise.  And in many instances, state regulatory regimes are getting tougher.

For the several thousand financial institutions and insurance companies covered by New York’s landmark data security regulation, the first certification of compliance must be filed with the State’s Department of Financial Services in less than a month.

On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.

Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week. 

As we head into the new week, here’s a quick summary of major data security developments from around the country.

Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.

New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year.  Companies covered by the regulation must comply with the first round of requirements by August 28th.

Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.

For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013.  Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations.  Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked.  Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website.  All of this was without El Camino’s permission.

For healthcare insurers that operate in New York, data security regulation has gotten more complicated.  The U.S. Department of Health and Human Services’ Office for Civil Rights has been the industry’s primary data security regulator. 

The National Association of Insurance Commissioner’s (NAIC) model cybersecurity law will take center stage later this week at the group’s annual meeting in Denver.

Over the last few months, the New York Department of Financial Services (“DFS”) cybersecurity regulation has undergone multiple revisions.  But late last week, DFS issued its final regulation, which will go into effect on March 1, 2017.

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier.  In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.

Today, the New York Department of Financial Services (DFS) announced an “updated” cybersecurity regulation that will go into effect on March 1, 2017.  The updated regulation is, in many respects, less stringent than the DFS’s original proposal. 

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.