Data Security Law Blog

Visit the Full Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

California Court Weighs in on the FTC’s Data Security Enforcement Authority

Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices.  The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.

Go

Equifax: The Empire State Strikes Back

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

Go

After Equifax: What Should the Public Do?

As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States.  Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses.  Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”  That leaves just about everyone asking: What should we do?

Go

Deadline to Meet DFS Cyber Regulation Is Monday

Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.

Go

DFS Cyber Regulation Countdown: Who Should Certify Compliance?

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

Go

DFS Issues Additional Guidance for Cyber Regulation Compliance

New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year.  Companies covered by the regulation must comply with the first round of requirements by August 28th.

Go

NYS Cyber Regulation Countdown: Continuous Monitoring

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

Go

DFS Cyber Compliance Nightmare?

New survey reports less than half of financial firms will meet deadline

A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

Go

NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Go

Ninety Days and Counting: NY Cyber Regulation’s First Deadline

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

Go

Final DFS Cybersecurity Regulation Issued

New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

Go

“Life is Short. Have an Affair.” And Then Settle With the FTC.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Go

Law Firms and Vendors Mandated to Up Their Cyber Game: Final Installment in a 3-Part Series

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

Go

Cyber Regulation Demands Board Accountability: Part 2 in a 3-Part Series

This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.

Go

Unpacking New York’s Cybersecurity Regulation: Part 1 in a 3-Part Series

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

Go

New York DFS Proposes New Cybersecurity Regulations

Earlier this month, the New York State Department of Financial Services (“DFS”) announced proposed cybersecurity regulations for financial institutions.  This proposal is, according to Governor Cuomo, a “new first-in-the-nation regulation” that is designed to protect financial institutions and their consumers. The proposed regulations are not a surprise.  Late last year, the DFS announced its intention to issue...
Go

Banner Health Suits Raise Significant Questions for Data Breach Class Actions

Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians.  The breach has been reported as the largest for a hospital in 2016. 

Go

The Supreme Court Sends Spokeo Back

Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins.  The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.  

Go

Seventh Circuit (Again) Finds Consumers Have Standing To Sue Over Data Breaches

Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company.  Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.  

Go

The CFTC Proposes Enhanced Cybersecurity Testing Rules

On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.

Go

Target Settles With Credit Card Issuers

Today, Target and a class of banks that issued credit cards that were compromised in the Target data breach announced they have reached a $39.4 million settlement.

Go

New York DFS Proposals Focus on Third-Party Vendor Risk

Earlier this month, the New York State Department of Financial Services (“DFS”) announced that it will propose new cybersecurity regulations for financial institutions.  The DFS made the announcement in a letter to the Financial and Banking Information Infrastructure Committee — an eighteen member organization headed by the Treasury Department that has already begun tackling cybersecurity issues.  

Go