Peter A. Nelson, Counsel

On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations.

With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus.  Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located.  That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years.  It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.  

In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client.  The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues.  For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues.  Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case.  Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.

On Tuesday, March 2, 2021, Virginia became the second U.S. state to enact a broad data privacy regime after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. Virginia follows California, which became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in June 2018. The CCPA became operative January 1, 2020 after several amendments necessary for its implementation, which we previously covered here and here.  (California is set to enact another privacy law entitled the California Privacy Rights Act (CPRA) - to update the CCPA in November 2020.)  There is also a raft of other state privacy laws in the pipeline, and Virginia’s new law aligns with a trend toward states ratcheting up broadly applicable privacy-related legal obligations.

The New York Department of Financial Services (“DFS”) recently initiated its first enforcement action against a company for violating DFS’s first-in-the-nation cybersecurity regulation.  As our readers know, we have written quite a few posts and articles about the regulation.  And as we’ve warned, with the regulation now in full effect, covered companies should expect DFS’s Cybersecurity Division to start cracking down on companies that haven’t complied.

Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine. 

On March 21, 2020—just as the COVID-19 crisis began upending our way of life—New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect fully.  The SHIELD Act, which amends New York’s 2005 breach notification law to “keep pace with current technology,” was signed into law on July 25, 2019 by Governor Andrew Cuomo.  The first phase of the Act went into effect in October 2019, and its second phase took effect last month.

Businesses, consumers, and regulators continue to grapple with balancing privacy, cybersecurity, and the response to the COVID-19 pandemic. Last week, this blog explored the increased cyber risks that the pandemic poses to businesses, providing guidance on how businesses can navigate that risk. Yesterday, we reported on a joint letter filed by more than 30 industry groups to the California Attorney General (“AG”) requesting a delay in enforcement of the California Consumer Privacy Act (“CCPA”) due to the burdens that COVID-19 is placing on businesses. Enforcement of the CCPA is currently scheduled to commence as early as July 1, 2020. Earlier this week, Consumer Reports, a consumer advocacy group, urged the AG to reject industry efforts to delay enforcement of the CCPA.

In response to the COVID-19 pandemic, the New York Department of Financial Services (DFS) recently extended by 45 days the deadline for companies to certify compliance with the DFS cybersecurity regulation.  The annual certification is now due on June 1, 2020. 

Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency.  These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.

As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”

On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations.  The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages. 

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.

On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.

The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.

New filings in the consolidated Home Depot data breach litigation, which we have previously covered on this blog, indicate that Home Depot and the remaining financial institution plaintiffs have reached a settlement.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders.  An unofficial English translation of the newly-enacted law is available here. 

Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?

On April 28, 2016 the United States Supreme Court proposed a modification to Federal Rule of Criminal Procedure 41 that significantly alters the manner in which the government can obtain search warrants to access computer systems and electronically stored information that will no doubt have an effect on hackers and hacking victims alike. The modification will go into effect on December 1, 2016, barring Congressional intervention.

The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.

On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service.  The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices.  The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.

American and European officials failed to meet the January 31st deadline for a new agreement on the transfer of data between the United States and Europe, disappointing hopes that the two sides would broker a deal to replace the now-invalidated U.S.-EU Safe Harbor Framework.