Industry: Financial Services
Government Warns of New Cyber Threats Targeting U.S. Businesses
The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses. These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access. Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware. This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.
New York DFS Announces First Cybersecurity Enforcement Action
The New York Department of Financial Services (“DFS”) recently initiated its first enforcement action against a company for violating DFS’s first-in-the-nation cybersecurity regulation. As our readers know, we have written quite a few posts and articles about the regulation. And as we’ve warned, with the regulation now in full effect, covered companies should expect DFS’s Cybersecurity Division to start cracking down on companies that haven’t complied.
Magistrate Judge Finds Data Breach Investigation Report Not Privileged
Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine.
COVID-19 Cyber Risks Continue to Grow
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Governmental Organizations Across the Globe Warn of Enhanced Cyber Threat Environment Related to COVID-19
In recent weeks, we have seen growing threats to cybersecurity and privacy from malicious actors seeking to exploit the COVID-19 pandemic. As companies transition their employees to remote working and focus their efforts on core business continuity, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit vulnerabilities. The need for robust cybersecurity measures is more pressing than ever, and governmental organizations are issuing calls to action.
DFS Extends Cybersecurity Certification Deadline to June 1, 2020
In response to the COVID-19 pandemic, the New York Department of Financial Services (DFS) recently extended by 45 days the deadline for companies to certify compliance with the DFS cybersecurity regulation. The annual certification is now due on June 1, 2020.
Court Approves Historic Equifax Data Breach Settlement
The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.
CCPA Update: California Attorney General Releases Proposed Regulations
On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.
Amendments to the California Consumer Privacy Act: Six Clarifications
As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020. The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents.
New York’s SHIELD Act Heads to the Governor’s Desk
The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws. Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.
NYS Cyber Regulation: New Rules for Third-Parties
It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations. Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.
DFS Superintendent Vullo Reflects on NYS Cyber Regulation: Two Years Later
With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.
State Attorney General Starts Rulemaking Process for California Consumer Privacy Act
Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA). The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.
Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers
Investment advisers may want to think twice before texting clients any advice in the New Year.
In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.
Part 2: More from DOJ on Cyber Investigations and Breach Preparedness
This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.
Part 1: DOJ Weighs In on Cyber Investigations & Breach Preparedness
The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.
Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.
Study Shows Banks Block 80% of Cyberattacks … But is that Enough?
In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?
M&A and Cyber Diligence: New York’s DFS Issues a Reminder
Over the last year, U.S. companies have been hit with a wave of new data security regulations and agency guidance, ranging from the SEC’s Guidance on Public Company Cybersecurity Disclosures to the European Union’s General Data Protection Regulation (GDPR).
The Warning Behind the Numbers: New York’s 2017 Data Breach Report
On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.
But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.
DFS Issues Compliance Certificate “Reminder”
Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.
The DFS Effect: Cyber Meets Sarbanes Oxley
Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.
Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.
Insurers: Are You Ready for More Cybersecurity Regulation? The National Association of Insurance Commissioners Model Law
At the end of last year, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The “purpose and intent” of the law is to “establish[] standards for data security and investigation and notification of data security applicable to insurance providers.”
Part Two: In-Depth Look at New York’s New Data Security Bill
Second in a two-part series.
Last week, in the first part of this series, we examined several key aspects of New York’s proposed data security law, Stop Hacks and Improve Data Security Act or SHIELD Act. In our second and final installment, we discuss three additional aspects of the proposed law.
An In-Depth Look at New York’s New Data Security Bill
First in a two-part series.
As we reported last week, New York Attorney General Eric T. Schneiderman has introduced a bill aimed at protecting New Yorkers from data breaches.
The Supreme Court Punts on Clarifying the Computer Fraud and Abuse Act
The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.
Memo to Congress: Five Key Questions for Upcoming Equifax Hearings
Richard F. Smith – who presided over Equifax Inc. as CEO during one of the largest data breaches in a generation – will testify before two congressional committees next week.
Equifax Mea Culpa: Too Little, Too Late?
Equifax Inc.’s interim CEO, Paulino do Rego Barros Jr., issued the company’s second public apology this morning for the massive data breach that has affected as many as 143 million U.S. consumers.
In a Wall Street Journal op-ed, Barros acknowledged the company’s ball drop in handling the breach and promised to “act quickly and forcefully to correct our mistakes.” He said the company will introduce a new service that would permit consumers to control access to their personal credit data.
Equifax Data Suppliers Urged by DFS to Give Hack “Highest Degree of Attention”
Yesterday, New York’s top financial regulator asked state-chartered banks and insurers to take immediate precautions to protect consumers and the financial markets “in light of the cybersecurity attack” at Equifax Inc.
Equifax: The Empire State Strikes Back
Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.” According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”
After Equifax: What Should the Public Do?
As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States. Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses. Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” That leaves just about everyone asking: What should we do?
Hack Hangover: The News Keeps Getting Worse for Equifax
Since the massive data breach at Equifax Inc. was disclosed late Thursday (see our blog here), the news has only gotten worse for the Atlanta-based credit monitoring agency.
8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies
In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.
Deadline to Meet DFS Cyber Regulation Is Monday
Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.
SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative
Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.” A copy of the summary is available here. This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.
DFS Cyber Regulation Countdown: Who Should Certify Compliance?
Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.
Federal Appeals Court Says Healthcare Insurer Must Face Data Breach Lawsuit
A federal appeals court earlier this week dealt a blow to healthcare insurer CareFirst, Inc., concluding that a group of customers have the right to pursue a class action data breach lawsuit based on a 2014 cyberattack.
Hackers Target the Bottom Line: Business Operations and Earnings
Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.
DFS Cyber Compliance Nightmare?
Detailed survey results indicate compliance is far from reachNew York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017. But is the financial industry ready and equipped to comply with this detailed regulation? According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”
DFS Issues Additional Guidance for Cyber Regulation Compliance
New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year. Companies covered by the regulation must comply with the first round of requirements by August 28th.
NYS Cyber Regulation Countdown: Continuous Monitoring
In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.
In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice. They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”
DFS Cyber Compliance Nightmare?
New survey reports less than half of financial firms will meet deadlineA new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.
NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?
In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.
Ninety Days and Counting: NY Cyber Regulation’s First Deadline
Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.
The Computer Fraud and Abuse Act Will Need To Wait Another Day In New York’s Commercial Division
Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.
Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions
Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state.
Dueling Cybersecurity Regulations for Healthcare: HHS Meets New York State
For healthcare insurers that operate in New York, data security regulation has gotten more complicated. The U.S. Department of Health and Human Services’ Office for Civil Rights has been the industry’s primary data security regulator.
New York’s Cyber Regulation: A National Blueprint?
New York’s top banking regulator would like the state’s new sweeping – and highly detailed – cybersecurity regulation to serve as a national model for insurance companies in safeguarding their institutions from cybercrime.
NAIC Model Cyber Law: Yet Another Regulatory Measure
The National Association of Insurance Commissioner’s (NAIC) model cybersecurity law will take center stage later this week at the group’s annual meeting in Denver.
DFS Chief to Address State Insurance Commissioners on NYS Cyber Regulation
New York State Department of Financial Services Superintendent Maria T. Vullo is scheduled to discuss the state’s new “first in the nation” cybersecurity regulation later this week at the National Association of Insurance Commissioners annual meeting in Denver.
DFS Final Cyber Regulation: Accountability at the Top
- Page 1 of 2