The New York Department of Financial Services recently announced a new proposed rule, which would require financial institutions and insurers to implement strong policies for responding to cyberattacks and data breaches.  Specifically, the rule would require insurers, banks, and other financial institutions to develop detailed, specific plans for data breaches; to appoint a chief privacy security officer; and to increase monitoring of the handling of customer data by their vendors.

Until now, various regulators have been advancing similar rules on a voluntary basis.  This is reportedly the first time that a state regulatory agency is seeking to implement mandatory rules of this nature.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said New York Governor Cuomo. He added that the proposed regulation will ensure that the financial services industry upholds its commitment to protect customers and take more steps to prevent cyber-attacks.

The rule would go into effect in 45 days, subject to notice and public comment period.  Among other detailed requirements, it will mandate a detailed cybersecurity program and a written cybersecurity policy.  While larger financial institutions already likely have such policies in place, the rule puts more pressure on them to fully comply.  It also mandates the hiring of a Chief Privacy Officer at a time when privacy professionals are already in a very high demand.  To attract top talent, the financial institutions will need to allocate appropriate budgets for such hiring.

Additionally, the rules outline detailed requirements for the hiring and oversight of third-party vendors.  Regulated entities who allow their vendors to access nonpublic information will now have to engage in appropriate risk assessment, establish minimum cybersecurity practices for vendors, conduct due diligence processes and periodic assessment (at least once a year) of third-party vendors to verify that their cybersecurity practices are adequate.  More detailed specifications can be found here.  Other requirements include employment and training of cybersecurity personnel, timely destruction of nonpublic information, monitoring of unauthorized users, and encryption of all nonpublic information.  As DFS Superintendent Maria Vullo explained: “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

Among other notable requirements, the regulations further mandate that banks notify New York’s Department of Financial Services of any material data breach within 72 hours of the breach.  The regulations come at the time when cybersecurity attacks are on the rise.  The proposed rules also follow on the heels of recent legislative initiatives in 4 other states to bolster their cybersecurity laws, as we previously discussed.

The regulations are sweeping in nature in that they potentially affect not only New-York-based companies but also insurers, banks, and financial institutions who conduct business in New York or have customers who are New York residents.  If you are unsure about your company’s obligations and the impact of the proposed rules on your industry, contact Mintz Levin privacy team for a detailed analysis.

As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes.  Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime.  In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps. Please review our updated Mintz Matrix to make sure you understand the latest rules applicable to your business!

According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.  While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.  Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee. Continue Reading Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

It is easy to see networks all around us. The printers at the office, your child’s videogame, the food ordering app on your phone, the fitness band or smart watch on your wrist, the electricity grid for your city, the self-driving cars being tested on our roads, all rely at least in part on networked solutions.  The ubiquity of networks is already staggering and the pace of research and development in this area is poised to increase for years to come.  As the things in our world get smarter and the network of these smart things grows larger, a little-known agency in the U.S. Department of Commerce, the National Institute of Standards and Technology (“NIST” or “Agency”), decided it was time that stakeholders smartened up about the way they discuss networks, connected “smart” things, and the privacy and security challenges associated with them.  Continue Reading Let’s talk about Networks of Things, baby. Let’s talk about you and me.

 

Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often:  KNOW THY VENDORS.

Last week, Phoenix-based Banner Health reported one of the year’s largest data breaches.  Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers.   This attack is notable for all companies and not just healthcare providers covered by HIPAA.   Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system.  In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases.  The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17. Continue Reading To Protect Data: Keep Your Network Access Close, and Your Vendors Closer

On Friday, the heads of the Federal Trade Commission overruled the decision of the Administrative Law Judge (“ALJ”) in In the Matter of LabMd., Inc. The FTC concluded that the ALJ had erred in dismissing the Commission’s case against a lab testing company LabMD and misapplied the unfairness standard.  The key determination by the FTC was that the mere disclosure of sensitive medical information is cognizable harm under Section 5(c) of the FTC Act, 15 U.S.C. § 45(a), irrespective of whether there is further economic or physical harm.   What does this mean for privacy enforcement?   Read on. Continue Reading FTC Plants A Flag With LabMD Ruling: What This Means for Enforcement

Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12).  Described by its sponsors and the media as “nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers. Continue Reading Colorado Student Data Privacy Bill – What EdTech software providers need to know

While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month.  The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US.  (The European Parliament has also criticized Privacy Shield.)  Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department.  And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.

If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for  formal adoption.  If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed.  Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).

News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is.  In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.

And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.

PS – for those who’ve been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.

The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have issued the long-awaited final procedures for both Federal and Non-Federal Entities under the Cybersecurity Information Sharing Act (CISA) (“Final Procedures”) that provide information on how DHS will implement CISA.  In addition to the Final Procedures, the agencies also released “Guidance to Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (the “Guidance”).

As we have written previously, a company may share cyber threat indicators (CTIs) and defensive measures (DMs) for cybersecurity purposes “notwithstanding any other provision of law,” and receive certain liability protections for sharing in accordance with the Act.  The Final Procedures and the Guidance are finalized versions of interim guidance previously discussed.  Any decision to share information under CISA is complex and involves factual and legal determinations.

Read on to find out what CTIs and DMs are, and information on the procedures companies must follow to obtain liability protection for sharing CTIs and DMs with the Federal Government.   Continue Reading “Interim” No More: DHS and DOJ Publish Final CISA Guidance on Cybersecurity Sharing 

Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation.    There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers.   Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content

Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur.  By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures.  Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security