Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.
By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:
- an audit trail that shows detection of and response to material cybersecurity events;
- written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
- data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
- risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.
Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information. (more…)
On August 7, a group of regulators from 11 jurisdictions published a consultation (the Consultation) on the Global Financial Innovation Network (the GFIN), which aims to promote international cooperation on innovation and the use of technology in financial services (FinTech) and in regulatory processes (RegTech).
The group — which includes the U.S. Consumer Financial Protection Bureau, the UK Financial Conduct Authority (the FCA), the Hong Kong Monetary Authority (HKMA) and the Monetary Authority of Singapore (MAS) — is one of the first major collaborative efforts on FinTech and RegTech issues among regulators in developed financial services markets. The Consultation builds on the FCA’s proposal earlier this year to create a “global sandbox” for innovative financial services firms.
This post summarizes the proposed role of the GFIN, the issues on which its founding regulators are consulting and how these may affect financial services firms.
*This article first appeared in the July 2018 issue of Digital Health Legal
Massive data breaches. Threats to medical devices. The Internet of Persons. Healthcare entities are all too familiar with the rising cyber threat. But they are also familiar with the complex array of laws and regulations in the United States that attempt to address the threat and the potentially significant compliance costs and risks caused by that complexity. The US Court of Appeals for the Eleventh Circuit’s recent and long-awaited decision in LabMD v. Federal Trade Commission, which trimmed the sails of one of the primary regulators of the healthcare information security landscape, may thus appear to some, at first blush, to be a necessary corrective. Yet closer inspection shows that the Eleventh Circuit’s decision raises more questions than it answers – and that its true implications will only become clear once we see how federal regulators, the courts, and perhaps Congress respond.
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. According to NAIC’s news release announcing this development, the Model Law was meant to build on the organization’s cybersecurity progress and create a “platform that enhances our mission of protecting consumers.” (For more information on the development of the Model Law, see our prior coverage.) (more…)
*This article originally appeared in Practical Law Journal July/August 2018.
In her regular column on corporate governance issues, Holly Gregory discusses the rapidly changing cybersecurity landscape, and the role of the board in addressing cybersecurity risks to the company.
Soon after he took office, President Trump issued Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Given that the President spent much of his campaign and early Presidency trying to distance his Administration from that of his predecessor, commentators noted a surprising amount of continuity between Trump’s cybersecurity EO and the Obama Administration’s approach to cybersecurity. A focus on critical infrastructure and transparency from publicly traded companies that control it; an emphasis on the public and private sectors working together; reliance on standards promulgated by the National Institute of Standards and Technology; a focus on protecting the Federal Government’s networks, including by taking steps toward using shared infrastructure such as the cloud – EO 13800 builds on existing policies and initiatives in each of these areas and others. (more…)
In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices. During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps. And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives. (more…)
Although the prospect of federal legislation on data privacy remains uncertain, states appear to be stepping up the range of their activity on privacy and security. Washington State notably adopted a law on net neutrality and there is the prospect of a ballot initiative in California that would give individuals the right to know which categories of their or their children’s personal data have been collected or traded by businesses. Though Vermont is one of the smallest states, it has been active in privacy regulation and, on May 22, 2018, enacted the first state-level measure aimed at data brokers. (more…)
On May 15, 2018, various media outlets reported that the Trump administration decided to eliminate the position of White House Cybersecurity Coordinator. According to reports, John Bolton, appointed as National Security Adviser effective April 2018, had been instrumental in the decision that the position was no longer necessary based on the reasoning that the role was already addressed by other members of President Trump’s national security staff. The administration’s decision was met with sharp criticism, including from Democrats in Congress such as U.S. Senator Mark R. Warner (D-VA) who called the move “mindboggling” and cybersecurity expert Bruce Schneier, who called it “a spectacularly bad idea.”
Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.
Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.
For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.