Categories & Search

Category: Privacy Regulation

Equifax: The Empire State Strikes Back

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

Go

8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies

In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach.  In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

Go

Deadline to Meet DFS Cyber Regulation Is Monday

Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.

Go

DFS Cyber Regulation Countdown: Who Should Certify Compliance?

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

Go

DFS Cyber Compliance Nightmare?

Detailed survey results indicate compliance is far from reach

New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017.  But is the financial industry ready and equipped to comply with this detailed regulation?  According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

Go

DFS Issues Additional Guidance for Cyber Regulation Compliance

New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year.  Companies covered by the regulation must comply with the first round of requirements by August 28th.

Go

When Health Data Goes Missing: Largest Reported Ransomware Attack

In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.

Go

11th Circuit Hears Oral Argument in LabMD Case

Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.

For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013.  Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.

Go

A question of harm: LabMD to face off with FTC at 11th Circuit

In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

Go

NYS Cyber Regulation Countdown: Continuous Monitoring

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

Go

DFS Cyber Compliance Nightmare?

New survey reports less than half of financial firms will meet deadline

A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

Go

NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Go

Ninety Days and Counting: NY Cyber Regulation’s First Deadline

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

Go

Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions

Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state. 

Go

Final DFS Cybersecurity Regulation Issued

New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

Go

Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

LabMD’s 11th Circuit FTC Appeal: The Opening Shot

Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.

Go

NYS Cyber Regulation Gets Drubbing by Industry Groups in Albany

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.

Go

DFS Cyber Regulation Gets Public Airing in Albany

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.
 

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

DFS Cyber Regulation: Part II - An Interview with Bay Dynamics’ Steven Grossman

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company.  Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom. 

Go

DFS Cyber Regulation: Changing the Rules - An Interview with Bay Dynamics’ Steven Grossman

As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment.  In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.

Go

Law Firms and Vendors Mandated to Up Their Cyber Game: Final Installment in a 3-Part Series

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

Go

Cyber Regulation Demands Board Accountability: Part 2 in a 3-Part Series

This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.

Go

Unpacking New York’s Cybersecurity Regulation: Part 1 in a 3-Part Series

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

Go

LabMD Scores Early Win in FTC Appeal

The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday.  In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.

Go

FinCEN Issues Advisory on the Reporting of Cyber-Events and Cyber-Enabled Crimes

The Financial Crimes Enforcement Network, or FinCEN, an arm of the United States Department of the Treasury, issued an advisory last week to remind financial institutions of their obligations to report cyber-events on Suspicious Activity Reports (SARs).  While FinCEN emphasizes that its advisory does not change existing reporting requirements, it goes to lengths to discuss its “expectations” about what and how information will be reported when it comes to cybersecurity events.

Go

HSS Issues New Guidance on Ransomware Attacks Against HIPAA-Covered Entities

Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records.  Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.

Go

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go

Target Corp. Shareholders Walk Away from Derivative Lawsuits

The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach.  And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.

Go

FTC Delays Ruling in LabMD Appeal

The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm.  In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”

Go