New York

On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law.  The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending New York’s data breach notification statute to broaden the circumstances under which notification may be required.  The second bill, meanwhile, will require consumer reporting agencies to offer identity theft prevention and mitigation services.  Both bills are described in further detail below.
Continue Reading New York Passes New Data Security and Breach Notification Requirements

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:
Continue Reading New York DFS Publishes FAQs on New Cybersecurity Regulations

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media.
Continue Reading Developments in the Right to Be Forgotten

New York Attorney General Eric T. Schneiderman announced this week that there were a record number of data breach notices in New York in 2016, with nearly 1,300 reported data breaches exposing the personal records of 1.6 million New Yorkers.  These numbers represented a 60 percent year-over-year increase in the number of data breaches reported, and a threefold increase in the number of records exposed.

According to an analysis conducted by the Attorney General’s office, which builds on a 2014 report, most of the exposed records consisted of social security numbers and financial account information, and the leading causes of data security breaches in New York were hacking and inadvertent disclosures.  Schneiderman’s statement cautioned that these record numbers make it “all the more important for companies and citizens alike to take precaution when sharing and storing personal data” as “these breaches too often jeopardize the financial health of New Yorkers and cost the public and private sectors billions of dollars.”
Continue Reading NY Data Breaches Reached Record Levels in 2016

Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016.  That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take
Continue Reading Reports Suggest New York DFS to Revise Proposed Cyber Regulations and Delay Implementation

On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks.  As we covered when Governor
Continue Reading Industry Reacts to New York’s Proposed Cybersecurity Regulation for Financial Services Institutions

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks.  The proposed regulation will be subject to a 45-day comment period once it is published in the New York State
Continue Reading New York State Proposes Cybersecurity Regulation for Financial Services Institutions

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

On the heels of a number of well-publicized data security breaches, a White House data breach proposal, and California’s recent changes to its data breach notification statute, New York Attorney General Eric Schneiderman has announced that he will propose legislation to strengthen New York’s data breach notification law.   The legislation had not been made public as of the date of publication, but the Attorney General has stated publicly that he anticipates it will include the following elements:

  • Private InformationDefinition.  The legislation would expand the definition of “private information” that, if breached, requires notice to New York residents.  According to the Attorney General, “private information” should be defined to “include both the combination of an email address and password and an email address in combination with a security question and answer,” as well as “medical information, including biometric information, and health insurance information.”  It is worth noting that the White House proposal unveiled earlier this week also would cover these data elements, and there are some existing state laws that already cover these data elements.  For example, California’s recent amendments to its data breach statute require notice of certain breaches involving “[a] user name or email address, in combination with a password or security question that would permit access to an online account.”  In addition, several states, including California and Texas, have breach notification statutes that cover certain types of medical information.
  • “Reasonable” Data Security Requirement.  Consistent with the approach that a number of other states (including, most recently, California) have taken, the legislation would impose an affirmative obligation on companies to reasonably safeguard “private information,” including through appropriate administrative, technical, and physical safeguards.  Massachusetts and Nevada are among the states that have imposed more prescriptive data security obligations.
  • Safe Harbor.  Schneiderman’s press release provides that “New York should offer a safe harbor if a company adopts a heightened form of security. . . . Once [an entity implements a data security plan that meets the standard], an entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.”   It is not clear based on the Attorney General’s press release, but we presume that this safe harbor would pertain to the obligation to maintain reasonable data security safeguards and not from other obligations.  In addition, Schneiderman’s proposal would legislate that entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
    Continue Reading New York Attorney General Unveils Data Breach Proposal

By David Fagan and Sumon Dantiki

Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.”  The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.Continue Reading Cybersecurity Regulators (Renew) Focus on Outside Vendors of Financial Institutions