Author Archives: Aaron J. Aisen

iStock_000038012250_Large

End of EU Data Privacy Safe Harbor Blockade in Sight?

Negotiators from the European Union and the United States are in the process of negotiating a new agreement that would effectively remove the blockade to the EU Data Privacy Safe Harbor for U.S. companies. We previously wrote about a decision by the European Court of Justice (ECJ) which opened U.S. companies up to potential fines for not protecting their data from U.S. government surveillance programs. Given the potential impact against companies like Facebook and other companies that utilize personal information, EU and U.S. leaders are…

Continue Reading....

NYDFS Notifies Federal Regulators of New Potential Cyber Security Regulations

On November 9, 2015, the New York State Department of Financial Services (NYDFS) sent a memorandum entitled Potential New NYDFS Cyber Security Regulation Requirements to several federal and state financial services regulators, including banking, securities and insurance regulatory, administrative and supervisory  bodies. These potential regulations are based on results of two sets of surveys of financial entities about their “cyber security programs, costs and future plans.” NYDFS surveyed 150 banks and 43 insurance companies. The results of the May 2014 banking industry survey are here

Continue Reading....

Potential Storms A-Brewin’ for Countries Enjoying the Calm of the EU Cyber Safe Harbor

EU law provides that personal data from the EU can only be transferred to countries that can ensure adequate protection of that data. The European Commission has authority to designate certain countries as “safe harbors” based on the domestic law of that country or that country’s international commitments. The EU Commission granted the United States safe harbor status. However, the European Court of Justice recently held that while the European Commission has authority to make these decisions, they are not binding on individual EU country…

Continue Reading....
US Capitol

Controversial Cybersecurity Information Sharing Act Passes Senate, Will Likely Become Law

On October 27, 2015, the United States Senate passed S.754, the Cybersecurity Information Sharing Act (CISA or the Act) 74-21. Without requiring such information sharing, CISA would create a system for federal agencies to receive threat information from private companies in real time. However, the bill is not without controversy. As we discussed in August the Department of Homeland Security raised concerns in July and August that the “real time collaboration” requirement in CISA would not permit them to scrub personal information…

Continue Reading....
US Navy

Out of Security Concerns, Navy Tells Midshipmen to Look to the Stars

The United States Navy is now requiring its midshipmen to learn a skill that seems more relevant in the 19th Century rather than the 21st century: how to navigate by the stars. The training is limited to just a few hours, but will serve a critical function. Computers aboard a ship are susceptible to cyber attacks and Navy personnel need a backup system should the computers fail. On the open ocean, this means looking to the stars. The Navy taught celestial navigation until…

Continue Reading....
iStock_000050437260_XXXLarge

Not If, But When: Another Health Insurer Hacked

This post first appeared on Goldberg Segalla’s Insurance & Reinsurance Report blog. In mid-September, it was reported that hackers hit another set of health insurance companies. In this case, the hackers hit The Lifetime Healthcare Companies and its affiliates including Excellus BlueCross BlueShield, Univera Healthcare, and The MedAmerica Companies. A full list of plans affected can be found on the press release outlining the details of the attack. Hackers took information on approximately 10 millions customers including seven million from Excellus and three million from…

Continue Reading....
iStock_000038012250_Large

NAIC and CSIS Host Cyber Risk Conference

On September 10, 2015, the National Association of Insurance Commissioners (NAIC) and the Center for Strategic and International Studies (CSIS) hosted a conference entitled “Managing Cyber Risk and the Role of Insurance.” Over 300 individuals attended, including more than 30 insurance regulators, senior representatives from the U.S. Departments of Treasury and Homeland Security, and representatives from the private sector. The primary focus of the conference was to explore how the insurance industry can assist in mitigating the damages that result from a cyber…

Continue Reading....
Data Protection

DHS – “Privacy Problems with CISA”

The Senate is expected to begin debate this week on S.754, the Cybersecurity Information Sharing Act (CISA) and at least one government agency is raising privacy and civil liberties concerns with respect to this legislation. Specifically, the Department of Homeland Security (DHS) is concerned that the desire to share information in real time could prevent it from scrubbing the data to erase personal identifiable information or other private information contained in the data. The primary purpose of CISA is to encourage the sharing of cyber…

Continue Reading....
iStock_000050437260_XXXLarge

Federal Cyber Legislation – Hurry Up and Wait

Despite the increasing number of data breaches, legislation to address this issue at the Federal level is at a standstill (or close to it). As has been noted in a variety of venues, currently, there is no comprehensive federal law to deal with data breaches. The federal law that does exist is centered on privacy issues for specific industries, e.g., Health Information Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach Bliley Act (GLB) for financial information. While most states and the…

Continue Reading....
iStock_000038012250_Large

Two GAO Reports Detail Deficiencies and Improvements in Thwarting Cyber Crimes

The Government Accountability Office (GAO) recently issued two reports on battling cyber threats that are useful for both private and public entities. The first report, issued July 2, 2015, was entitled Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information. In that report, the GAO noted that while, “[d]epository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury)[,] [r]epresentatives from more than 50 financial institutions…

Continue Reading....