On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. The Regulations also do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to, and providing an overview, of the Regulations and on and February 6, 2018 and August 28, 2018 we published follow-ups highlighting the next round of disclosures required under the Regulations. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damien Privitera also conducted a CLE webinar – Compliance Checkup: NY DFS Cybersecurity Regulations – on August 7, 2018, which can be accessed here
Continue Reading

As of November 1, consumer credit reporting agencies Equifax, Experian and TransUnion are now subject to the New York DFS cybersecurity regulations that first went into effect back in March 2017. In October 2017, following Equifax’s 2017 data breach and smaller breaches suffered by Experian years earlier, DFS passed new proposed regulations applicable to consumer credit reporting agencies, which went into effect in June of this year. These regulations at 23 NYCRR 201 require consumer credit reporting agencies to register with DFS, outlines prohibited practices of consumer credit reporting agencies, and requires consumer credit reporting agencies to comply with DFS’ cybersecurity regulations at 23 NYCRR 500. Consumer credit reporting agencies were required to register with DFS either by September 15, or within 15 days of becoming subject to the regulations, and as with the Part 500 regulations, the Part 201 regulations have phased-in effective dates for compliance with the cybersecurity regulations, which began on November 1. Unlike the Part 500 regulations, consumer credit reporting agencies have less time between the first compliance date and the second, and less time overall from the first compliance date to the fourth and final compliance date on December 31, 2019.
Continue Reading

On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. Furthermore, the Regulations do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to the Regulations and on and February 6, 2018 we published a follow-up alert highlighting the next round of disclosures required under the Regulations. This alert further highlights the upcoming September 4, 2018 deadline. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damian Privitera also conducted a CLE webinar entitled “Compliance Checkup: NY DFS Cybersecurity Regulations” on August 7, 2018.

A brief overview of who is covered, key dates, and the areas in which compliance must be met is below.
Continue Reading

As we approach the Fall of 2018, data breaches and cybersecurity incidents remain prevalent throughout the U.S. (and the world). No matter what industry you are in, you are susceptible to a breach. This year alone already, breaches have been disclosed by companies such as Saks, Lord & Taylor, Panera Bread, Facebook, Under Armour’s MyFitnessPal App, just to name a few. Those few companies alone account for over 320 million records having been breached. Although not listed, insurance, financial, educational and health care companies and institutions are also not without incident.

In reaction to instances such as those mentioned above, as well as on the heels of Europe’s recently enacted General Data Protection Regulation (“GDPR”), federal and state legislatures throughout the U.S. are in the process of beginning to pass new laws. A few of the trailblazers in new data protection and/or cybersecurity laws are California, Vermont, and New York.

One of the most impactful new laws which companies must be aware of is the California Consumer Privacy Act (the “CCPA”), which follows the GDPR. The CCPA, passed on June 28, 2018, and which will be effective January 1, 2020, is an important law to be aware of because, while it only applies to California citizens, it targets both domestic companies and companies outside of California who do business in the state. It is also largely anticipated that other states will follow in passing similar types of legislation. At its core, this is a consumer friendly law, which will place a great deal of challenges on companies to remain in compliance.
Continue Reading

Regulatory compliance and data privacy and security are often cited as two of the top priorities for corporate counsel. Complying with the “first-in-the-nation” cybersecurity regulations passed by the New York Department of Financial Services last year combines those two priorities into one challenging corporate endeavor. With transitional periods, exemptions, and effective dates of different sections

New York has already been on the forefront in the area of cybersecurity as evidenced by what is widely acknowledged as the first-in-nation cybersecurity regulations promulgated by the New York State Department of Financial Services (the “DFS”). These regulations are far sweeping due to in large part that they cover any non-exempt entity under the