The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

These requirements include:

  • Implement and maintain audit trail requirements (500.06);
  • Adopt written application security requirements (500.08);
  • Adopt written data retention requirements (500.13);
  • Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
  • Implement encryption requirements (500.15).

The final compliance deadline is March 1, 2019.  In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.  More information about the Cybersecurity Requirements can be found here.

The U.S. Treasury recently released a report identifying improvements that would support nonbank financial institutions but also embrace innovation and technology.  Among other things, the report recommends the creation of a national data breach notification standard and the development of effective national and international Fintech policies, including Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) efforts.

In addition to the aforementioned, the report outlines roughly 80 suggestions meant to:

• “Embrace the efficient and responsible use of consumer financial data and competitive technologies;
• Streamline the regulatory environment to foster innovation and avoid fragmentation;
• Modernize regulations for an array of financial products and activities; and
• Facilitate ‘regulatory sandboxes’ to promote innovation.”

A copy of the report can be found here.

This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.

Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise

Personal information has become the prey of relentless poachers. In light of the influx of data breaches, state legislatures are taking action.  Not surprisingly, now every state has enacted data breach notification laws, which are triggered when personal information is breached.  Read below for a summary of relevant state legislation recently adopted or laws recently amended that pertaining to data breach notification.

Arizona

Arizona amended its data breach notification law, effective July 21, 2018. This amendment requires companies to notify affected consumers within a 45-day window upon discovery of a data breach. If the data breach impacts more than 1,000 consumers, companies must also notify the state attorney general as well as the three largest consumer credit reporting agencies. The state attorney general can also impose up to $500,000 in penalties for a company’s non-compliance.

Continue Reading Updates to State Data Breach Laws

On August 1, 2018, NIST will withdraw eleven SP 800 publications that are considered out of date.  These publications will not be revised.  According to NIST the following publications will be withdrawn:

  • SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network
  • SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures
  • SP 800-19 (October 1999), Mobile Agent Security
  • SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
  • SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
  • SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security
  • SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products
  • SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System
  • SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process
  • SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
  • SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

More information about these publications and the reason for withdrawal can be found here.

As previously discussed, the General Data Protection Regulation (GDPR) created heightened consent standards for companies processing and sharing personal data of EU data subjects.  When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous.  Further, the GDPR requires affirmative action by the user, forcing them to manually “check/click” opt-in boxes.  This removes the potential for “implied consent” under past acceptable practice, where the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked”  (withdrawing their consent).

While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM).  The Privacy and Electronic Communications Regulations (PECR) sets rules that organizations must follow when sending EDM.  As a result, when organizations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.

Continue Reading How Direct Marketing is Impacted by GDPR and PECR

Since our launch in 2013, Password Protected has made every attempt to provide in-depth relevant data privacy and cybersecurity legal analysis. In our continued effort to provide accessible and useful information, we have modernized our blog to provide readers with a better experience. We have re-formatted with the user in mind, to provide easily digestible information as it happens, delivering the latest in comprehensive privacy and cybersecurity news.

Thank you for your continued readership and engagement. Feedback is always welcome; if you have any questions about our blog you can contact us here.

ICYMI, be sure to read some of our more popular posts from Password Protected as well as these other recent data privacy and cybersecurity developments:

SEC Disclosure Analysis in Light of the Yahoo Settlement

U.S. Companies: Are You Ready for GDPR?

HIPAA in Due Diligence (Part I): Four Key Diligence Questions

South Carolina Requires Cybersecurity Program for Insurance Licensees

New York Cybersecurity Regulations: Additional Testing and Reporting Requirements Take Effect

Considerations in Drafting Limitations of Liability for Data Breaches

— Meaghan and Andrew

It seems that most employees and plan participants “think” their retirement money and data are not at risk.  This is due, in part, because:

  • there are few published incidents of breaches or potential hacks;
  • there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
  • there is no comprehensive federal regulation that protects qualified retirement plans and service providers.

This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.

Continue Reading Cybersecurity & Retirement Plans

Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.

Continue Reading New California Privacy Law Could Have Nationwide Implications

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees