New York AG Seeks to Require Privacy Violation Notifications

While the law has adapted to the reality of cyberattacks and data breaches, in the wake of recent revelations about Facebook use of personal information, New York’s Attorney General intends to propose legislation to address Privacy Violations — where personal information is obtained or used by organizations in violation of a platform’s terms of service, or the law. Facebook has recently acknowledged that data analytics firm Cambridge Analytica collected personal information of 50 million Facebook users without their consent as part of a political influence…
Continue reading...

Better Late Than Never — Time to Get Those Cybersecurity Certifications of Compliance into NYDFS

If you are an individual or company regulated by the New York State Department of Financial Services (NYDFS), you may have received an email from NYDFS reminding you to submit your Certification of Compliance as soon as possible. New York’s relatively new cybersecurity regulation, 23 NYCRR 500 (the Regulation), requires all people and companies covered by the Regulation (Covered Entities) to file an annual statement by February 15 certifying that the entity was compliant (Certification of Compliance) with the Regulation as of December 31 of…
Continue reading...

Study Finds Nearly Eighty Percent of Respondents Lack Formal Incident Response Plan on Cyberattacks

IBM Security has announced the staggering findings of the third-annual benchmark study on Cyber Resilience — an organization’s ability to maintain its core purpose and integrity in the face of cyberattacks. Conducted by the Ponemon Institute and sponsored by IBM Resilient, more than 2,800 security and IT professionals were surveyed around the world in preparation of “The 2018 Cyber Resilient Organization.” The study found that many organizations continue to be ill-prepared for a cyberattack. Some of the more staggering findings are as follows:
  • 77 percent

Continue reading...

New York’s New Cyber Law Is Beginning to Byte

In late 2016, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations to “promote the protection of customer information and information technology systems of regulated entities.” The DFS defined “covered entities” as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law of New York.  Banks, insurance companies, and…
Continue reading...

DFS Partially Clarifies Who Qualifies for an Exemption Under Cybersecurity Regulation

By the terms of 23 NYCRR 500.19(e), Covered Entities that have determined they qualify for a limited exemption from compliance under 23 NYCRR 500.19(a)-(d) of New York’s new Cybersecurity Regulation — as of August 28, 2017 — are required to file a Notice of Exemption with the New York Department of Financial Services (NYDFS) on or prior to September 28, 2017. The first compliance date of August 28, 2017 in New York’s cybersecurity regulation, and the date for Covered Entities to determine whether they qualify…
Continue reading...

Don’t Be Held Hostage by Ransomware

Chair of Goldberg Segalla’s Cyber Risk Practice Group, John J. Jablonski, Esq., offers insights on avoiding a ransomeware attack in a recent blog post for the Pennsylvania Institute of Certified Public Accountants, accessible here. John will also be sharing his insights on cybersecurity at the PICPA Data Privacy and Security for Professional Service Organizations program in Philadelphia on May 24.…
Continue reading...

Re-Thinking the U.S. Government’s Approach to Cybersecurity

Are the “cybersecurity” tools used by the CIA and NSA causing harm to U.S. businesses and citizens? An analysis of the WikiLeaks materials, and recent hacker activity, suggests the answer may be yes. This month, it was revealed that at least 40 cyber attacks on organizations in 16 countries were conducted with top-secret hacking tools, according to security researcher Symantic Corporation. While not formally blaming the CIA, Symmantic said it connected these attacks to the CIA hacking tools obtained by WikiLeaks, and that the targets…
Continue reading...

April Brings Showers … and Changes to State Data Breach Notification Laws

Over the past few weeks there have been noteworthy changes to data breach notification acts within several states. Of importance, New Mexico enacted its first notification law while Tennessee and Virginia amended existing legislation. New Mexico On April 6, 2017 New Mexico enacted HB 15, the Data Breach Notification Act, making it the 48th state to pass a notification law. The Act goes into effect on June 16, 2017, leaving Alabama and South Dakota as the only states without notification requirements. The Act, drawing…
Continue reading...

IRS Student Loan Application Program Breach Affecting up to 100,000 Taxpayers

On April 6, 2017, IRS Commissioner John Koskinen testified during a Senate Finance Committee meeting that the personal data of up to 100,000 taxpayers may have been compromised by hackers accessing both students’ and parents’ tax information through the Data Retrieval Tool (DRT), a free application for federal student aid data retrieval connected with the Free Application for Federal Student Aid (FAFSA). Obtaining such information allowed these hackers to file fraudulent tax returns and steal refunds. The last breach of this magnitude occurred in 2015,…
Continue reading...