Category: Policy/Legislation
DFS Superintendent Vullo Reflects on NYS Cyber Regulation: Two Years Later
With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.
State Attorney General Starts Rulemaking Process for California Consumer Privacy Act
Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA). The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.
Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers
Investment advisers may want to think twice before texting clients any advice in the New Year.
In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.
Part 2: More from DOJ on Cyber Investigations and Breach Preparedness
This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.
FDA Issues “PlayBook” for Medical Device Cybersecurity
The Food and Drug Administration is stepping up its game with respect to the cybersecurity of medical devices.
On Monday, the agency announced its launch of a preparedness and response “playbook” to address threats to medical device cybersecurity. The move cited an uptick in cyber-attacks and the potential for bad actors to exploit medical devices.
Part 1: DOJ Weighs In on Cyber Investigations & Breach Preparedness
The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.
Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.
Study Shows Banks Block 80% of Cyberattacks … But is that Enough?
In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?
Part II: Hidden Costs of Bug Bounty Programs
Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.
California Legislature Makes Last-Minute Changes to New Data Privacy Law
As California’s legislative session came to a close late last month, the state’s lawmakers passed SB-1121, approving a series of tweaks to the California Consumer Privacy Act of 2018 or CCPA, the far-ranging data privacy law enacted earlier this summer. The new bill now heads to the governor for consideration.
Las Vegas Shooting Lawsuits: How They Will Impact the Cybersecurity World
Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas. MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack.
Bug Bounty Programs: What Every Organization Needs to Know
More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.
A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?
Insurance Industry Cybersecurity Law Moves Closer to Becoming a Reality
The insurance industries in South Carolina and Rhode Island may soon be required to adopt formal data security safeguards, a movement sparked by the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The model law, which NAIC adopted in October 2017, establishes minimum standards for data security applicable to insurance providers. It is part of a growing body of state-level cybersecurity legislation, including the New York State Department of Financial Services regulation issued in March 2017. We blogged about the model law back in January.
M&A and Cyber Diligence: New York’s DFS Issues a Reminder
Over the last year, U.S. companies have been hit with a wave of new data security regulations and agency guidance, ranging from the SEC’s Guidance on Public Company Cybersecurity Disclosures to the European Union’s General Data Protection Regulation (GDPR).
The Warning Behind the Numbers: New York’s 2017 Data Breach Report
On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.
But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.
DFS Issues Compliance Certificate “Reminder”
Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.
The New York Times Features Op-Ed by Craig Newman: “Can the United States Search Data Overseas?”
On February 27, 2018, The New York Times featured an op-ed written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Can the United States Search Data Overseas?” Mr. Newman discusses the critical question in United States v Microsoft, which is pending before the Supreme Court: should the U.S. law enforcement have access to emails stored outside the country? He argues that the fundamental problem of storing data across borders will not be solved by this case, and that legislative action is necessary to properly govern “the vast stores of electronic data that move seamlessly across international borders.”
The DFS Effect: Cyber Meets Sarbanes Oxley
Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.
Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.
“Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach
On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”
More State Data Security Regulation: North Carolina Bill Penalizes Unreasonable Data Security Practices and Requires Rapid Notification
In a post-Equifax environment, state-level data security regulation is on the rise. And in many instances, state regulatory regimes are getting tougher.
Insurers: Are You Ready for More Cybersecurity Regulation? The National Association of Insurance Commissioners Model Law
At the end of last year, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The “purpose and intent” of the law is to “establish[] standards for data security and investigation and notification of data security applicable to insurance providers.”
DFS Filing “Reminder” as Deadline Looms
For the several thousand financial institutions and insurance companies covered by New York’s landmark data security regulation, the first certification of compliance must be filed with the State’s Department of Financial Services in less than a month.
Countdown to the First Annual New York DFS Cyber Regulation Certification
On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.
Equifax Must Turn Over NY Breach Data This Week
New York State regulators won’t be letting Equifax, Inc. off-the-hook any time soon for last year’s massive data breach that affected more than 145 million Americans.
New York Launches Mid-Term Election Cyber Initiative
Cybersecurity will remain at the top of New York State’s regulatory agenda this year.
In the Cloud: DOJ Issues New Guidance for Collecting Stored Data
The Justice Department is changing its approach to collecting data stored in the cloud.
Part Two: In-Depth Look at New York’s New Data Security Bill
Second in a two-part series.
Last week, in the first part of this series, we examined several key aspects of New York’s proposed data security law, Stop Hacks and Improve Data Security Act or SHIELD Act. In our second and final installment, we discuss three additional aspects of the proposed law.
An In-Depth Look at New York’s New Data Security Bill
First in a two-part series.
As we reported last week, New York Attorney General Eric T. Schneiderman has introduced a bill aimed at protecting New Yorkers from data breaches.
Healthcare Cyber: House Inquiry Targets Medical Software
In its latest inquiry into cybersecurity risks in the healthcare sector, the House Energy and Commerce Committee last week requested a “formal briefing” from medical transcription vendor Nuance Communications, Inc. concerning its handling of the NotPetya malware attack.
Memo to Congress: Five Key Questions for Upcoming Equifax Hearings
Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week.
Equifax Data Suppliers Urged by DFS to Give Hack “Highest Degree of Attention”
Yesterday, New York’s top financial regulator asked state-chartered banks and insurers to take immediate precautions to protect consumers and the financial markets “in light of the cybersecurity attack” at Equifax Inc.
Equifax: The Empire State Strikes Back
Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.” According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”
Hack Hangover: The News Keeps Getting Worse for Equifax
Since the massive data breach at Equifax Inc. was disclosed late Thursday (see our blog here), the news has only gotten worse for the Atlanta-based credit monitoring agency.
8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies
In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.
Deadline to Meet DFS Cyber Regulation Is Monday
Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.
SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative
Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.” A copy of the summary is available here. This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.
DFS Cyber Regulation Countdown: Who Should Certify Compliance?
Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.
FTC Chronicle: “Lessons Learned” from the Agency’s Data Breach Investigations
The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.
DFS Cyber Compliance Nightmare?
Detailed survey results indicate compliance is far from reachNew York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017. But is the financial industry ready and equipped to comply with this detailed regulation? According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”
DFS Issues Additional Guidance for Cyber Regulation Compliance
New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year. Companies covered by the regulation must comply with the first round of requirements by August 28th.
11th Circuit Hears Oral Argument in LabMD Case
Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.
For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013. Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.
A question of harm: LabMD to face off with FTC at 11th Circuit
In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.
NYS Cyber Regulation Countdown: Continuous Monitoring
In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.
In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice. They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”
DFS Cyber Compliance Nightmare?
New survey reports less than half of financial firms will meet deadlineA new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.
NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?
In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.
Ninety Days and Counting: NY Cyber Regulation’s First Deadline
Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.
Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions
Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state.
Dueling Cybersecurity Regulations for Healthcare: HHS Meets New York State
For healthcare insurers that operate in New York, data security regulation has gotten more complicated. The U.S. Department of Health and Human Services’ Office for Civil Rights has been the industry’s primary data security regulator.
The FTC and LabMD’s Legal Battle Gets Personal: First Amendment Claims Against FTC Lawyers Survive
The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.
New York’s Cyber Regulation: A National Blueprint?
New York’s top banking regulator would like the state’s new sweeping – and highly detailed – cybersecurity regulation to serve as a national model for insurance companies in safeguarding their institutions from cybercrime.
NAIC Model Cyber Law: Yet Another Regulatory Measure
The National Association of Insurance Commissioner’s (NAIC) model cybersecurity law will take center stage later this week at the group’s annual meeting in Denver.
- Page 1 of 3