Cybersecurity

Subscribe to Cybersecurity via RSS

ThinkstockPhotos-524882074_webOn March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS.
Continue Reading New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security
Continue Reading EU Cyber Security and Incident Notification Rules Enacted

Tennesse State CapitolThe State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor from its data breach notification statute. However, this is not the case; Tennessee has not removed its primary encryption safe harbor. Even under the amended Tennessee law, data encryption remains an important method for securing data, and one that may reduce notice obligations if a breach occurs.

S.B. 2005 makes three changes to the breach notification statute that may impact whether Tennessee’s notification law applies to a particular data breach situation, and when organizations must send notices to affected individuals.
Continue Reading Tennessee Updates Data Breach Notification Law

ThinkstockPhotos-516780641-webThe Consumer Financial Protection Bureau (CFPB) recently brought its first data security enforcement action, adding itself to the growing list of federal regulators tackling data security issues. The CFPB’s enforcement action was against Dwolla Inc., a Des Moines, Iowa-based online payment platform. The CFPB alleged that Dwolla misrepresented its data security practices, and as a result, Dwolla agreed to pay a $100,000 penalty and to implement significant data security measures.1 While this is only its first data security-related action, the CFPB appears to be taking very seriously its role in securing consumers’ financial information. The requirements the agency placed on Dwolla’s board of directors make this clear, as the board will be held accountable for any security shortcoming by the company. This goes beyond the typical requirements imposed by the Federal Trade Commission (FTC), the regulator with the most extensive data security experience, in its data security enforcement actions. As such, companies, especially financial technology start-ups, should take note of the data security requirements placed on Dwolla by the CFPB, and ensure that any statements made regarding the security of consumers’ information are accurate.
Continue Reading CFPB Brings First Data Security Enforcement Action