Cybersecurity

Subscribe to Cybersecurity via RSS

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).  NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways.  The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure.  Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory.  In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures.  The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements.
Continue Reading NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity

The disclosure by Uber of a data breach that occurred in October 2016 has prompted a growing number of regulators to open investigations into the company.  According to Bloomberg, the breach (which Uber disclosed on November 21, 2017) involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.
Continue Reading EU and U.S. Regulators respond to the Uber breach

Earlier this month, on November 2, New York Attorney General Eric T. Schneiderman announced that he was working with New York state legislators to introduce comprehensive new legislation to address data breaches and data privacy.  After pointing to the Equifax breach as the impetus of the legislation, the Attorney General’s Office also explained that it had received over 1,300 data breach notifications in 2016, affecting 1.6 million New Yorkers.  To address these issues, the proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act would require companies to take steps to protect private information, broadens the type of private information covered, and increases potential penalties for failures to comply with the law.  This post summarizes the key aspects of the proposed legislation, and compares it to other recently enacted data privacy legislation.
Continue Reading In Wake of the Equifax Breach, New York’s Attorney General Proposes New, Stricter Data Privacy Law

The EU General Data Protection Regulation (GDPR) represents the biggest change to EU data protection law in more than twenty years. It has grabbed headlines as a result of its extra-territorial reach and the potentially vast fines for non-compliance.  (For a general overview of the GDPR, please refer to our Alert Memo.)   With the GDPR’s May 25, 2018 effective date rapidly approaching, the Article 29 Working Party (an advisory group made up of representatives from EU data protection authorities as well as the European Commission) recently published its latest wave of GDPR guidance.  In this post, we summarize both the prior guidance and the most recent update, which covers critical issues such as data breach notification requirements and the calculation of penalties for non-compliance.
Continue Reading Preparing for GDPR – Guidance from the Article 29 Working Party

Cyberattacks have increased in scope and severity over the past few years, including the widespread WannaCry ransomware attacks and the Equifax breach in which the personal data of over 140 million people may have been stolen.  Due to the increasing number of breaches and the difficulties that law enforcement faces in responding to these events in a timely manner, a bill has been proposed in the U.S. Congress that seeks to empower private actors to use cyber defensive measures outside the boundaries of their networks.  Rep. Tom Graves (R-Ga.) introduced the Active Cyber Defense Certainty Act (the “Act”) to protect from criminal prosecution companies who use certain countermeasures against cyber intrusions.[1]  Whether or not this legislation is ultimately adopted, it highlights some of the unique difficulties in effectively addressing cybercrime and the ongoing efforts by the government to enlist the aid of the private sector.
Continue Reading The Active Cyber Defense Act: Congress Considers Authorizing Companies to Use Offensive Measures Against Cybercriminals

On October 24, 2017, the National Association of Insurance Commissioners (the “NAIC”) adopted the Insurance Data Security Model Law (the “Model Law”).  According to the NAIC’s press release, the purpose of the Model Law is to provide “rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach.”  The NAIC is a U.S. standard-setting and regulatory support organization composed of state-level insurance regulators, and the Model Law is non-mandatory, model legislation that states must voluntarily adopt in order for it to be enforceable.  Importantly, based on a Drafting Note in the Model Law, the drafters intended for entities that are in compliance with the New York State Department of Financial Services (the “DFS”) Cybersecurity Regulations, which apply to DFS-licensed banks and insurance companies operating in New York, to automatically also be in compliance with the Model Law.  Similar to the DFS’s Cybersecurity Regulations, the Model Law sets forth standards for data security, as well as the response to, and notification of, data breach incidents.
Continue Reading NAIC Adopts Insurance Data Security Model Law

On October 27, 2017, the Hong Kong Securities and Futures Commission (“SFC”) issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the “Guidelines”), a set of baseline cybersecurity requirements that all persons licensed or registered with the SFC and engaged in internet trading will be required to implement. The Hong Kong Monetary

On October 23, 2017, the Reserve Bank of India (“RBI”), India’s central banking institution, imposed a $1 million fine on Yes Bank Ltd. for failure to report a data breach within two to six hours as mandated by the “Cyber Security Framework in Banks” issued by RBI in June 2016.  Under the framework, regulated banks must report all unusual cybersecurity incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank within a two-to-six hour timeframe and provide timely updates if new information comes to light. 
Continue Reading Failure to Comply with Breach Notification Requirement in India Costs Yes Bank $1 Million

On October 18, the Consumer Financial Protection Bureau (the “CFPB”) released the Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (the “Principles”).  The Principles represent a cautious step forward by the CFPB in providing guidance on how institutions holding customer accounts (such as banks) should share information with service providers, including “fintech” companies that obtain customer authorization to access their account information in order to provide services to such customers.  Such data aggregation-based service providers can provide useful products and services to consumers, such as fraud screening, identity verification, personal financial management and bill payment, and promote competition in the financial services market.  With respect to fraud screening and identity verification services in particular, in the aftermath of the recent Equifax breach, the appeal of such services is obvious.  However, with additional sharing of data comes additional risks—the increase in data access points, albeit consumer-authorized, presents new challenges from a cybersecurity and privacy perspective, increasing the possibility of consumers inadvertently losing control of their information.
Continue Reading CPFB Releases Consumer Protection Principles for Consumer-Authorized Financial Data Sharing and Aggregation

Last week, the Financial Stability Board (“FSB”) released the results of its stocktake on existing regulations and supervisory practices in G20 jurisdictions with respect to cybersecurity in the financial sector.  The FSB is an international body that coordinates the work of national financial authorities and international standard-setting bodies, and the stocktake — essentially a survey — was requested by the G20 Finance Ministers and Central Bank Governors in March 2017.
Continue Reading Financial Stability Board Highlights Multiplicity of Cybersecurity Regulations in the Financial Sector