On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. The Regulations also do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to, and providing an overview, of the Regulations and on and February 6, 2018 and August 28, 2018 we published follow-ups highlighting the next round of disclosures required under the Regulations. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damien Privitera also conducted a CLE webinar – Compliance Checkup: NY DFS Cybersecurity Regulations – on August 7, 2018, which can be accessed here. Continue Reading NYSDFS Upcoming Deadlines Fast Approaching: Next Key Dates are February 15, 2019 and March 1, 2019
As of November 1, consumer credit reporting agencies Equifax, Experian and TransUnion are now subject to the New York DFS cybersecurity regulations that first went into effect back in March 2017. In October 2017, following Equifax’s 2017 data breach and smaller breaches suffered by Experian years earlier, DFS passed new proposed regulations applicable to consumer credit reporting agencies, which went into effect in June of this year. These regulations at 23 NYCRR 201 require consumer credit reporting agencies to register with DFS, outlines prohibited practices of consumer credit reporting agencies, and requires consumer credit reporting agencies to comply with DFS’ cybersecurity regulations at 23 NYCRR 500. Consumer credit reporting agencies were required to register with DFS either by September 15, or within 15 days of becoming subject to the regulations, and as with the Part 500 regulations, the Part 201 regulations have phased-in effective dates for compliance with the cybersecurity regulations, which began on November 1. Unlike the Part 500 regulations, consumer credit reporting agencies have less time between the first compliance date and the second, and less time overall from the first compliance date to the fourth and final compliance date on December 31, 2019. Continue Reading NYDFS Cybersecurity Check-In
On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. Furthermore, the Regulations do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to the Regulations and on and February 6, 2018 we published a follow-up alert highlighting the next round of disclosures required under the Regulations. This alert further highlights the upcoming September 4, 2018 deadline. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damian Privitera also conducted a CLE webinar entitled “Compliance Checkup: NY DFS Cybersecurity Regulations” on August 7, 2018.
A brief overview of who is covered, key dates, and the areas in which compliance must be met is below. Continue Reading NYSDFS Upcoming Deadlines Fast Approaching: Next Key Date is September 4, 2018
As we approach the Fall of 2018, data breaches and cybersecurity incidents remain prevalent throughout the U.S. (and the world). No matter what industry you are in, you are susceptible to a breach. This year alone already, breaches have been disclosed by companies such as Saks, Lord & Taylor, Panera Bread, Facebook, Under Armour’s MyFitnessPal App, just to name a few. Those few companies alone account for over 320 million records having been breached. Although not listed, insurance, financial, educational and health care companies and institutions are also not without incident.
In reaction to instances such as those mentioned above, as well as on the heels of Europe’s recently enacted General Data Protection Regulation (“GDPR”), federal and state legislatures throughout the U.S. are in the process of beginning to pass new laws. A few of the trailblazers in new data protection and/or cybersecurity laws are California, Vermont, and New York.
One of the most impactful new laws which companies must be aware of is the California Consumer Privacy Act (the “CCPA”), which follows the GDPR. The CCPA, passed on June 28, 2018, and which will be effective January 1, 2020, is an important law to be aware of because, while it only applies to California citizens, it targets both domestic companies and companies outside of California who do business in the state. It is also largely anticipated that other states will follow in passing similar types of legislation. At its core, this is a consumer friendly law, which will place a great deal of challenges on companies to remain in compliance. Continue Reading Trailblazing States in Data Privacy and Cybersecurity
Regulatory compliance and data privacy and security are often cited as two of the top priorities for corporate counsel. Complying with the “first-in-the-nation” cybersecurity regulations passed by the New York Department of Financial Services last year combines those two priorities into one challenging corporate endeavor. With transitional periods, exemptions, and effective dates of different sections of the regulations phasing in over the next several years, entities subject to these regulations are currently in the midst of, and must remain engaged in compliance efforts. In this program, Shipman & Goodwin attorneys William Roberts and Damian Privitera will provide an overview of the regulations and compliance strategies and discuss data privacy and security programs more generally.
Topics will include:
- Scope of regulations and regulated entities;
- Limited exemptions, affiliates, third party service providers;
- Currently effective sections of the regulations that require compliance and self-checkups to ensure compliance;
- Preparing for sections of the regulations that become effective and require compliance by September 2018, including encryption, audit trails, application security, limitations on data retention, and training and monitoring of authorized users;
- Identifying gaps in your cybersecurity program and policies, and steps to take to come into compliance;
- Meeting reporting deadlines and approaches to annual Certifications of Compliance.
Who Should Attend: C-Suite Executives, Legal Counsel and IT Personnel in the Insurance and Financial Services Industries
This CLE program has been approved in accordance with the requirements of the New York CLE Board for a maximum of 1.0 credit hour, of which 1.0 can be applied toward the Professional Practice requirement. This program is appropriate for both transitional and nontransitional attorneys.
Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approves or accredits CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to one hour toward your annual CLE requirement in Connecticut, including zero hour(s) of ethics/professionalism.
New York has already been on the forefront in the area of cybersecurity as evidenced by what is widely acknowledged as the first-in-nation cybersecurity regulations promulgated by the New York State Department of Financial Services (the “DFS”). These regulations are far sweeping due to in large part that they cover any non-exempt entity under the control of the DFS – ranging from lenders to insurance companies and other in between – and also any company that does business in New York, not just those based in New York.
In a continued effort to combat cybersecurity and data privacy issues and to prevent hacks, New York is also on the verge of passing the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), which is aimed at protecting the personal information of New Yorkers from all businesses. Much like the DFS regulations, the SHIELD Act would have broad reach even outside the boarders of New York State, as evidenced by a key feature whereby it would apply to any business that holds sensitive data of New Yorkers, regardless of whether they do business in the state. The sensitive data that would be protected by the SHIELD Act is not limited to only social security numbers and other financial data, but any breach that exposes usernames and passwords, biometric data, or private health data. To achieve its goals, the proposed Act will require businesses to adopt reasonable administrative, technical, and physical safeguards for data. The extent to what is “reasonable” will depend on the size of the company. Among the impetus for this proposed legislation is the extreme amount by which reported data breaches increased in New York from 2016 – 2017, 1,583 data breaches were reported and the number of New Yorkers whose personal information was exposed quadrupled to 9.2 million. The full text of the proposed legislation can be found here.
These new laws will require entities that do business in New York to ensure compliance and to implement steps to protect personal information. While this has not yet been enacted, best practices are to put comparable procedures in place, which procedures should be applied to data involving both New Yorkers and non-New Yorkers. When in doubt, err on the side of protecting as much information as practicable and reasonable. Even if you are not in New York or do not do business in New York, it is likely that all states will be updating their laws to combat cybersecurity and data privacy going forward.