The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

These requirements include:

  • Implement and maintain audit trail requirements (500.06);
  • Adopt written application security requirements (500.08);
  • Adopt written data retention requirements (500.13);
  • Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
  • Implement encryption requirements (500.15).

The final compliance deadline is March 1, 2019.  In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.  More information about the Cybersecurity Requirements can be found here.

This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.

Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise

On August 1, 2018, NIST will withdraw eleven SP 800 publications that are considered out of date.  These publications will not be revised.  According to NIST the following publications will be withdrawn:

  • SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network
  • SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures
  • SP 800-19 (October 1999), Mobile Agent Security
  • SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
  • SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
  • SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security
  • SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products
  • SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System
  • SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process
  • SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
  • SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

More information about these publications and the reason for withdrawal can be found here.

It seems that most employees and plan participants “think” their retirement money and data are not at risk.  This is due, in part, because:

  • there are few published incidents of breaches or potential hacks;
  • there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
  • there is no comprehensive federal regulation that protects qualified retirement plans and service providers.

This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.

Continue Reading Cybersecurity & Retirement Plans

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees

In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.

Continue Reading FTC’s Loss in the Eleventh Circuit Will Not Impede Data Security Enforcement

The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.

Continue Reading Don’t Neglect Physical Safeguards as Part of HIPAA Security Compliance

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

Continue Reading Retailers, Consent and the GDPR: Is Your Business in Breach?

A “white hat” is an ethical computer hacker who specializes in penetration testing and other testing methodologies to ensure the security of an organization’s information systems. According to the Ethical Hacking Council, “The goal of the ethical hacker is to help the organization take pre-emptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits.”  White hat hackers usually present their skills as benefiting their clients and broader society. They may be reformed black hat hackers or may simply be knowledgeable of the techniques and methods used by hackers.  However, white hats have been known to offer broader hacking services, such as information gathering about persons or entities at odds with those hiring the white hat.  Ethical hackers have been compared to digital versions of private investigators or investigative reporters.

In considering whether to engage a white hat hacker, there are a number of precautions that a company should take to increase the likelihood that the white hat will be credible, professional and ethical and only engage in lawful activities during the course of the engagement.

Credibility.  Consider existing relationships, references and certifications.  For example, the EC-Council offers a Certified Ethical Hacker accreditation.  Many large consulting firms provide ethical hacking services. References from trusted peers are also extremely important.

Background Check.  Conduct a thorough background check.  Although the white hat may be affiliated with a reputable consulting firm, verify his or her experience and credentials and investigate possible criminal history.  Do not assume that what the hacker tells you is true.

Engagement Letter.  Have the hacker sign an engagement letter or similar contract that clearly defines the engagement, prohibits any illegal or unethical conduct, and addresses liabilities, indemnification and remedies where appropriate.  Specify the hacking methods that are and are not acceptable and which information systems, networks and data may be accessed.  Require the hacker to provide proof of adequate professional liability insurance.

Confidentiality Agreement.  Require the hacker to sign a confidentiality or non-disclosure agreement that strictly prohibits the use or sharing with others of any information gathered as part of the engagement and that specifies the penalties for violation or references penalties set forth in the primary agreement.

Oversight.  Monitor the hacker’s activity and be on the lookout for any suspicious activity—both during and after the white hat’s work.  Ensure that the hacker remains within the scope of work defined within the engagement letter.  If the scope of work changes, revise the engagement letter accordingly.  Keep in mind that access to information systems presents opportunities to set conditions for future remote access or other unauthorized, nefarious activities.

Work Product.  Consider the desired work product that will be developed over the course of the white hat’s engagement and whether the white hat should report to the General Counsel or outside counsel to protect privilege.  In order to be admissible in evidence in civil litigation, the white hat must be willing to submit a signed affidavit, which describes under oath the results of the investigation, and to possibly testify.  Not every white hat makes a good witness.

 

As previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks last month. However, it is unclear what, if any, impact the new guidance will have on the rate of SEC enforcement actions in the coming months.

According to a recent study by the NYU Pollack Center for Law & Business and Cornerstone Research, SEC enforcement actions significantly declined last year when compared with 2016. In fiscal year 2016, the SEC brought 92 enforcement actions against public companies and their subsidiaries. In fiscal year 2017, SEC enforcement declined by thirty three percent with the SEC filing 62 enforcement actions against public companies and their subsidiaries. Of the 62 enforcement actions, the SEC filed only 17 actions in the second half of fiscal year 2017. This was the largest semiannual decrease for a fiscal year since the Securities Enforcement Empirical Database (SEED) began collecting data in 2010. Similarly, the total monetary settlements declined from $1 billion over the first half of fiscal year 2017 to $196 million in the second half of the year.

The timing of the decline suggests that the Trump Administration may be reining in regulatory enforcement. However, despite the empirical slow down, Stephanie Avakian and Steven Peikin, the co-directors of the SEC’s enforcement divisions, deny that there has been any directive from the Trump Administration to slow the enforcement arm of the SEC. In fact, during the annual American Bar Association’s white collar conference, the co-directors cautioned that more enforcement actions—especially related to cybersecurity—may be on the horizon. Indeed, the SEC’s new cybersecurity guidelines coupled with the creation of the SEC Cyber Unit at the end of fiscal 2017 will give the SEC new tools to combat cyber related misconduct in 2018.