New York Issues Final Cybersecurity Regulation

On February 13, 2017, the New York Department of Financial Services (NYDFS) adopted the final version of its first-of-its-kind cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). This regulation took effect on March 1, 2017. The final regulation reflects several of the comments offered during the final comment period that concluded on January 27, 2017. For a prior list of significant changes from the initial version to the second version, please see our blog post located here. Most of the changes that are contained in the final regulation consist of formatting and technical changes. Some new provisions clarify already existing provisions, e.g., Section 500.17(b) clarifies that the annual report to the Superintendent should be a report on the prior year. Other minor changes include record retention requirements ...
Continue Reading...


NYDFS Issues Updated Cybersecurity Regulation

Data Protection The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows: Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities of a Chief Information Security Officer (CISO) outlined in the regulation, that individual is not required to have this specific title. This individual is also not required to be dedicated exclusively to performing the duties of the CISO. Section 500.13 — The previous version required each Covered Entity ...
Continue Reading...

Despite Recent High-Profile Dismissals, Wendy’s Shareholders Try Again with Cybersecurity-Related Derivative Lawsuit

iStock_000038012250_Large The resilient plaintiff’s bar is not backing down from their quest to hold directors and officers personally liable for corporate misconduct that leads to cybersecurity breaches. Taking guidance from the failures which resulted in a string of dismissals of high-profile cybersecurity-related shareholder derivative lawsuits, a shareholder of the fast food-chain The Wendy’s Company is taking another shot to impose liability on corporate leadership for failing to take precautions against cyber-attacks. To be clear, these derivative cases are trying to hold the directors and officers liable for mismanagement of the company which led to the data breach, not for the liability arising directly from the data breach itself. These types of derivative lawsuits, however, have been largely unsuccessful. On December 16, 2016, a shareholder of the fast-food chain Wendy’s filed a ...
Continue Reading...

Lessons in Cyber-Hygiene: How John Podesta was Caught by Phishing

computer crime Instead of a Hollywood-style cyberattack into an underground bank of highly secure servers, it appears Hillary Clinton’s campaign chairman John Podesta fell victim to a run-of-the-mill phishing email appearing to come from Google. On March 19, 2016, Podesta received an alarming email to his Gmail account indicating someone had accessed his account, inviting Podesta to click on a Bitly URL (a service providing shortlinks, or smaller URL addresses) pointing to a longer URL that looked like a Google link. According to Bitly’s statistics, the URL sent to Podesta was clicked two times in March. From March to May, it appears the same hackers created 213 short links targeting 108 email addresses on the hillaryclinton.com domain. Reports indicate a similar phishing attack managed to hoodwink former US Secretary of State Colin ...
Continue Reading...

Lessons in Cyber-Hygiene: Securing Employee Passwords

iStock_000010623991_Medium The human element remains a significant threat vector for institutions of all sizes, and management is well advised to take proactive steps to educate and implement effective “cyber-hygiene” policies for all employees to minimize the risks associated the range of social engineering tactics, from phishing to inadvertent disclosures, as well as curb the opportunities for plain old mistakes. The area of password protection is among the most obvious areas for improvement in the world of cyber-hygiene. In a recent survey of 750 IT administrators and company “decision makers” sponsored by CyberArk and conducted by Vanson Bourne, 40 percent of organizations reporting to using a Microsoft Word document or spreadsheet to store administrative passwords and another 28 percent of those polled use either a shared server or USB stick to store ...
Continue Reading...

The Yahoo Class Action: Plaintiff’s Bar Finds a New Cottage Industry

Lawsuit written on brown vintage paper. The only “surprise” in the Yahoo class action complaint, filed Friday, September 23, 2016, is that Yahoo issued a press release announcing the breach a mere one day earlier.  The class action complaint, undersigned by three law firms in San Francisco, Boca Raton, and New York, seeks certification for: “All persons within the United States whose personal information was accessed following the data breach that Yahoo announced in a press release on September 22, 2016.”  Indeed, the complaint makes a number of allegations relating directly to the September 22 press release, including what appears to be a copy-and-paste of the entire release’s language. The stated causes of action are cookie-cutter with the word “Yahoo” pasted among otherwise generic allegations about the breach and alleged damages. Retention of counsel to work ...
Continue Reading...

Judge Rules No Standing To Pursue Fear Of “Hacker Harm”

Last week a judge in the Southern District of Illinois trimmed several claims from a class action complaint made against Chrysler and Harman International Industries stemming from a 2015 WIRED magazine article. The July 21, 2015 WIRED article described the author’s experience of being a “digital crash-test dummy, a willing subject on whom [two hackers] could test the car-hacking research they’d been doing over the past year.” Less than two weeks after the article was published, on August 4, 2015, the plaintiffs filed their class action complaint Chrysler and Harman – the maker of the uConnect telematics system, which, among many things, pairs an owner’s smart phone to their car.  The plaintiffs allege that they suffer pangs of anxiety and fear because of the possibility that their cars could be ...
Continue Reading...

RAND Study Estimates Lower Cyber-Incident Costs

Stacks of 20 dollars banknotes According to a new study by the RAND Corporation, published in the Oxford Journal of Cybersecurity, the average cost of a typical cyber breach for an American company has been estimated at $200,000, significantly less than the $1,000,000 figure suggested by other organizations, such as the Ponemon Institute. The study analyzed a private data set of 12,000 cyber incidents over a decade based on corporate losses compiled for the insurance industry. “Relative to all the other risks companies face, the cyber risks often aren’t as big a deal as we think,” said Sasha Romanosky, author of the study. The study concludes, among other things, that the average cyber event costs companies less than 0.4 percent of their annual revenues. A copy of the RAND article can be found here.
Continue Reading...

Plaintiffs’ Monitoring Activity to Mitigate Increased Risk of Identity Theft Sufficient for Article III Standing in the Sixth Circuit

iStock_000050437260_XXXLarge The Sixth Circuit, in a 2-1 majority decision, has reinstated a class action lawsuit against Nationwide Mutual Insurance Company, finding that the plaintiffs’ alleged “imminent, immediate and continuing increased risk” of identify fraud after hackers accessed personal data on Nationwide’s servers constituted a “cognizable injury” under Article III. The court’s unpublished decision cited a range of alleged damages from the plaintiffs’ complaint including the time and expense of monitoring their own credit, as well as a study “purporting to show that in 2011 recipients of data-breach notifications were 9.6 times more likely to experience identify fraud, and had a fraud incidence rate of 19%.” Based on these allegations, the court held: “Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish ...
Continue Reading...

At FTC’s ransomware workshop, FBI says: Don’t pay

The first in its fall technology series, the FTC held a public workshop [September 7, 2016] on ransomware. According to experts on hand for the event, ransomware is the most profitable malware type in history. FTC Chairwoman Edith Ramirez said not only is it prevalent and dangerous, there are challenges associated with thwarting it, including its rapid proliferation, the many vectors of attack and the vast array of harms. It’s an issue of interest to the FTC in its pursuit to protect consumers, but also because, according to Ramirez, failure to address known vulnerabilities may violate the FTC Act. Read the full article at the IAPP website, by clicking here.  
Continue Reading...