Goldberg Segalla

All articles by Goldberg Segalla

 

Compliance Deadline Approaching for NY Cybersecurity Regulation

A key compliance date for the NY Cybersecurity Regulation is quickly approaching. September 4, 2018 will serve as the third key implementation date for individuals and companies (Covered Entities) governed by New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500). Unless the Covered Entity qualifies for one of the exemptions under 23 NYCRR 500.19, by September 4, all Covered Entities must have completed the following*:
  • create and maintain systems that can reconstruct material financial transactions to support and maintain the obligations of
 

The FTC Gang’s All Here

As we noted in a previous post, the United States Senate has confirmed five new commissioners, bringing a full complement to the Federal Trade Commission (FTC). Four of those commissioners have taken their seats, with the fifth likely to join in the Fall. Earlier this month, the “new” FTC signaled a continued commitment to act in the area of data privacy and security by reaching a settlement with a California company regarding false claims regarding compliance with the European Union-United States Privacy Shield framework 

The FTC Gang’s All Here – Five New Commissioners Confirmed

The Federal Trade Commission (FTC) is widely recognized as the primary federal regulator of cybersecurity and data privacy by virtue of its authority under Section 5 of the Federal Trade Commission Act to take enforcement action against unfair and deceptive trade practices, which authority has been upheld by various courts including the U.S. Court of Appeals for the Third Circuit. For just over a year, the FTC has operated with only two commissioners, one Republican and one Democrat. On April 26, 2018, the United States…  

Better Late Than Never — Time to Get Those Cybersecurity Certifications of Compliance into NYDFS

If you are an individual or company regulated by the New York State Department of Financial Services (NYDFS), you may have received an email from NYDFS reminding you to submit your Certification of Compliance as soon as possible. New York’s relatively new cybersecurity regulation, 23 NYCRR 500 (the Regulation), requires all people and companies covered by the Regulation (Covered Entities) to file an annual statement by February 15 certifying that the entity was compliant (Certification of Compliance) with the Regulation as of December 31 of…  

Congress Rolls Back FCC Privacy Regulations

On March 28, 2017, Congress passed legislation (S.J. Res. 34) that rolled back privacy regulations recently adopted by the Federal Communications Commission. The resolution passed the Senate by a vote of 50-48 and the House by a voted of 215 to 205. This is one of several sets of regulations Congress is rolling back under the authority of the Congressional Review Act of 1996. Under this statute, Congress can nullify administrative regulations by simply passing a joint resolution of disapproval. On December 2, 2016,…  

NYDFS Issues Updated Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows:
  • Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities
 

Lessons From a Presidential Campaign Data Breach

It was perhaps the first major allegation of a cyber breach in a presidential campaign when the Democratic National Committee (DNC) claimed that staff members from the campaign of Bernie Sanders accessed unauthorized information from a voter database maintained by DNC. The DNC leases this database to various campaigns and the campaigns supplement it with their own information. However, campaigns are blocked via firewalls from viewing information supplied by rival campaigns. In this case, members of the Sanders campaign are alleged to have accessed information…  

New Executive Orders and Budget Proposals Contribute to Federal Cyber Security Efforts

The U.S. Government took several steps on Tuesday, February 9, 2016 to deal with the ever-constant issue of data privacy. First, President Barack Obama issued two Executive Orders. The first Executive Order creates the Commission on Enhancing National Cybersecurity. This new Commission will fall under the U.S. Department of Commerce and be “composed of not more than 12 members appointed by the President” though Congressional leadership can offer recommendations. The order, among other things, requires the Commission to make recommendations in several key areas including:…  

CISA Passes as Part of Omnibus Spending Bill

Congress recently passed the Cybersecurity Information Sharing Act of 2015 (CISA) as part of Division N of H.R. 2029, Public Law 114-113 the Consolidated Appropriations Act, 2016, (CAA). As previously reported, on October 27, 2015 the United States Senate passed a different version of CISA, S.754, which without requiring such information sharing, would create a system for federal, state and local agencies to receive threat information from private companies in real time and for the private sector to receive such information in addition and as…  

End of EU Data Privacy Safe Harbor Blockade in Sight?

Negotiators from the European Union and the United States are in the process of negotiating a new agreement that would effectively remove the blockade to the EU Data Privacy Safe Harbor for U.S. companies. We previously wrote about a decision by the European Court of Justice (ECJ) which opened U.S. companies up to potential fines for not protecting their data from U.S. government surveillance programs. Given the potential impact against companies like Facebook and other companies that utilize personal information, EU and U.S. leaders are…  

NYDFS Notifies Federal Regulators of New Potential Cyber Security Regulations

On November 9, 2015, the New York State Department of Financial Services (NYDFS) sent a memorandum entitled Potential New NYDFS Cyber Security Regulation Requirements to several federal and state financial services regulators, including banking, securities and insurance regulatory, administrative and supervisory  bodies. These potential regulations are based on results of two sets of surveys of financial entities about their “cyber security programs, costs and future plans.” NYDFS surveyed 150 banks and 43 insurance companies. The results of the May 2014 banking industry survey are here 

Potential Storms A-Brewin’ for Countries Enjoying the Calm of the EU Cyber Safe Harbor

EU law provides that personal data from the EU can only be transferred to countries that can ensure adequate protection of that data. The European Commission has authority to designate certain countries as “safe harbors” based on the domestic law of that country or that country’s international commitments. The EU Commission granted the United States safe harbor status. However, the European Court of Justice recently held that while the European Commission has authority to make these decisions, they are not binding on individual EU country…  

Controversial Cybersecurity Information Sharing Act Passes Senate, Will Likely Become Law

On October 27, 2015, the United States Senate passed S.754, the Cybersecurity Information Sharing Act (CISA or the Act) 74-21. Without requiring such information sharing, CISA would create a system for federal agencies to receive threat information from private companies in real time. However, the bill is not without controversy. As we discussed in August the Department of Homeland Security raised concerns in July and August that the “real time collaboration” requirement in CISA would not permit them to scrub personal information…  

Out of Security Concerns, Navy Tells Midshipmen to Look to the Stars

The United States Navy is now requiring its midshipmen to learn a skill that seems more relevant in the 19th Century rather than the 21st century: how to navigate by the stars. The training is limited to just a few hours, but will serve a critical function. Computers aboard a ship are susceptible to cyber attacks and Navy personnel need a backup system should the computers fail. On the open ocean, this means looking to the stars. The Navy taught celestial navigation until…  

Not If, But When: Another Health Insurer Hacked

This post first appeared on Goldberg Segalla’s Insurance & Reinsurance Report blog. In mid-September, it was reported that hackers hit another set of health insurance companies. In this case, the hackers hit The Lifetime Healthcare Companies and its affiliates including Excellus BlueCross BlueShield, Univera Healthcare, and The MedAmerica Companies. A full list of plans affected can be found on the press release outlining the details of the attack. Hackers took information on approximately 10 millions customers including seven million from Excellus and three million from…  

NAIC and CSIS Host Cyber Risk Conference

On September 10, 2015, the National Association of Insurance Commissioners (NAIC) and the Center for Strategic and International Studies (CSIS) hosted a conference entitled “Managing Cyber Risk and the Role of Insurance.” Over 300 individuals attended, including more than 30 insurance regulators, senior representatives from the U.S. Departments of Treasury and Homeland Security, and representatives from the private sector. The primary focus of the conference was to explore how the insurance industry can assist in mitigating the damages that result from a cyber…  

DHS – “Privacy Problems with CISA”

The Senate is expected to begin debate this week on S.754, the Cybersecurity Information Sharing Act (CISA) and at least one government agency is raising privacy and civil liberties concerns with respect to this legislation. Specifically, the Department of Homeland Security (DHS) is concerned that the desire to share information in real time could prevent it from scrubbing the data to erase personal identifiable information or other private information contained in the data. The primary purpose of CISA is to encourage the sharing of cyber…  

Two GAO Reports Detail Deficiencies and Improvements in Thwarting Cyber Crimes

The Government Accountability Office (GAO) recently issued two reports on battling cyber threats that are useful for both private and public entities. The first report, issued July 2, 2015, was entitled Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information. In that report, the GAO noted that while, “[d]epository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury)[,] [r]epresentatives from more than 50 financial institutions…  

Sometimes Newer Isn’t Always Better: U.S. Navy is Paying Millions to Keep XP

In March 2014, Microsoft announced that it was phasing out support for its Windows XP operating system, including the continued release of patches protecting against hackers and other intrusions. Although the Windows XP platform, originally released  August 24, 2001, has been replaced by updated versions, the United States Navy agreed to pay Microsoft $9 million annually for continued support of the XP program, which runs many of the Navy’s critical systems, including the Space and Navy Warfare Systems Command.  While only 10 percent of government…  

Congress and the Internet of Things

Despite the trend toward the Internet of Things, some institutions are taking a slow and cautious approach given the possible security vulnerabilities. This includes the U.S. Congress. The Internet of Things usually refers to machine to machine communication.  For example, consider the Microsoft band that monitors heart rate, steps, calories, burned, etc. (which, incidentally, the co-chair of the Congressional Internet of Things Caucus wears). Recent breaches into government computers including the massive data breach at the Office of Personnel Management (“OPM”) clearly demonstrate…  

Cyber Breaches Prompt Government Action

Several government entities are taking action to address the growing rise of cyber-attacks as more fully explained in Goldberg Segalla’s Insurance & Reinsurance Report. As reported in a post by Frederick J. Pomerantz and Aaron J. Aisen, in response to a cyber breach at a major insurer, Connecticut lawmakers are considering legislation requiring insurance companies to encrypt sensitive information.  Furthermore, the Federal Government is considering several proposals  including a Consumer Privacy Bill of Rights and standardized consumer notification procedures.  Similarly, as discussed in…  

NYDFS to Conduct Annual Cyber Assessments on NY Regulated Banks

Governor Andrew Cuomo of New York announced on May 6, 2014 that the New York State Department of Financial Services (NYDFS) would begin conducting “new, regular, targeted cyber security preparedness assessments of the banks [NYDFS] regulates.”  Governor Cuomo noted, Targeted cyber security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached. When consumers sign up for online banking they expect their personal information to be secure and we are working to make sure financial institutions take…  

Don’t Let Love Lead to a Loss

“Better to have loved and lost than never to have loved at all.”  Alfred Lord Tennyson probably did not have computer operating systems in mind when he wrote this famous line. Come April 2014, however, those who aren’t willing to end their love affair with Windows XP may lose big. Windows XP was long the favorite operating system for companies.  However, it was also well-known for its vulnerabilities and that Microsoft actively serviced XP providing patches for these vulnerabilities.  On April 8, 2014, Microsoft…  

It’s a Small World After All – Crimea, Critical Infrastructure, and Cyber Attacks

Worlds away from a quiet ride at a popular amusement park, the world’s eyes are focused on Eastern Europe where a new government has taken over the Ukraine and Crimea is the prize in a fierce geopolitical tug of war.