Category

Information Security

10 April 2017

New Mexico Enacts Breach Notification and Data Security/Secure Disposal Law, While Tennessee Clarifies Encryption Exception

New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.

(more…)

SHARE
EmailPrintShare
08 March 2017

Australia’s Long Anticipated Breach Notification Law Passes

*The authors are not licensed to practice law in Australia, and this information is intended for educational purposes only.

Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million  ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.

(more…)

SHARE
EmailPrintShare
28 February 2017

NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls

On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”).  The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods  — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)

The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified.  The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.

(more…)

SHARE
EmailPrintShare
24 February 2017

New NACD Cyber-Risk Handbook a Reminder of Critical Board Oversight Duties

*This article first appeared in Bloomberg BNA Corporate Law & Accountability Report on February 23, 2017

On Jan. 12, 2017, the National Association of Corporate Directors (NACD) released its new “NACD Director’s Handbook on Cyber-Risk Oversight.” The NACD has suggested that directors can use this Cyber-Risk Oversight Handbook as a resource to “[l]earn foundational principles for board-level cyber-risk oversight” and gain insight into issues including how to:

  • “allocate cyber-risk oversight responsibilities at the board level”;
  • address “legal implications and considerations related to cybersecurity”;
  • “set expectations with management about the organization’s cybersecurity processes”;
  • “improve the dialogue between directors and management on cyber issues”; and,
  • “improve and enhance boardroom practices.”

Read More

SHARE
EmailPrintShare
13 February 2017

Sidley Perspectives on M&A and Corporate Governance: Cybersecurity M&A Due Diligence and Protecting Privilege

The potential liability from a material cyber-attack is wide-ranging. Accordingly, companies that experience network intrusions, system disruptions or unauthorized access to information databases must be prepared for a variety of potential consequences, each attended by its own costs…[read more]

SHARE
EmailPrintShare
13 January 2017

NIST Issues Draft Revision to Cybersecurity Framework

The National Institute of Standards & Technology (NIST) has issued a revised draft version of its Cybersecurity Framework. The document is issued as “Version 1.1″ of the existing framework, redlined to show changes from the original framework issued almost three years ago. It is a draft, seeking comment. No period for public comment is specified, except that NIST expects to hold a public workshop on the revised draft “around the fall of 2017.”

(more…)

SHARE
EmailPrintShare
05 January 2017

NYDFS Revises Cybersecurity Regulations Incorporating Risk-Based Approach; Maintains Prescriptive Requirements and Certifications

On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”).  The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016.  The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.

(more…)

SHARE
EmailPrintShare
28 December 2016

The Privacy, Data Protection and Cybersecurity Law Review

The third edition of The Privacy, Data Protection and Cybersecurity Law Review appears as the world is converging on more privacy laws that cover more areas of business and are subject to more enforcement. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.

(more…)

SHARE
EmailPrintShare
27 December 2016

NYDFS to Delay New Financial Cybersecurity Rules

After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.

SHARE
EmailPrintShare
05 December 2016

FCA Outlines its Approach to Cybersecurity in Financial Services Institutions

A recent speech by the Financial Conduct Authority (“FCA”) Director of Specialist Supervision, Nausicaa Delfas, delivered at the Financial Times’ Cyber Security Summit, shows that the FCA, which is the leading financial services regulator in the United Kingdom, is taking the issue of cyber security seriously and that it believes new approaches are needed to combat the threat to financial services firms.

The FCA’s concerns are consistent with those being expressed by US banking regulators and the Group of Seven (G-7) industrial nations who agreed on a set of guidelines to combat cyber risks affecting global financial institutions.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator