Categories & Search

Category: Corporate Governance

Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions

Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state. 

Go

Final DFS Cybersecurity Regulation Issued

New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

Go

Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

NYS Cyber Regulation Gets Drubbing by Industry Groups in Albany

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.

Go

DFS Cyber Regulation Gets Public Airing in Albany

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.
 

Go

DFS Cyber Regulation: Part II - An Interview with Bay Dynamics’ Steven Grossman

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company.  Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom. 

Go

DFS Cyber Regulation: Changing the Rules - An Interview with Bay Dynamics’ Steven Grossman

As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment.  In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.

Go

Law Firms and Vendors Mandated to Up Their Cyber Game: Final Installment in a 3-Part Series

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

Go

Cyber Regulation Demands Board Accountability: Part 2 in a 3-Part Series

This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.

Go

Unpacking New York’s Cybersecurity Regulation: Part 1 in a 3-Part Series

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

Go

Cybersecurity Advice from President Obama

We’re writing this week to highlight some of the ways in which President Obama’s evolving views on cybersecurity can help guide corporate governance on this increasingly important subject.  In an interview with Wired Magazine, the President admitted that he is rethinking his own view on cybercrime: comparing it to a “pandemic” no longer addressed by traditional means such as the latest and greatest defensive technologies

Go

Target Corp. Shareholders Walk Away from Derivative Lawsuits

The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach.  And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.

Go

Lessons from LinkedIn: Privacy and Data Security Representations in the M&A Context

Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements.  Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations.  The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.

Go

The Paper Trail: The Potential Data-Breach Sitting in your Printer

In April 2016, the sensitive personal medical information of NFL players was stolen from the car of a trainer who had left the files in a backpack in his locked car.  In 2014, Safeway, Inc. settled charges brought by the State of California stemming from an investigation concerning the improper disposal of hard copies of customer information.  In 2014, an insurance company was exposed when maintenance workers who were supposed to move four boxes of member records between floors, instead threw them out.  In 2011, sensitive information regarding an NYPD task force was found in a Manhattan trash can.

Go

SEC Chair Warns: Cyber Biggest Threat to Global Financial System

The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today.  At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.

Go

Managing Cybersecurity Risk for Nonprofit Organizations: A Fiduciary Duty?

We live in an era of increasingly prevalent cybercrime, and nonprofits are in the crosshairs.  Harvard University, Penn State University and two BlueCross BlueShield entities are just a few nonprofit organizations that reported cyberattacks in 2015, breaches to their data security systems ultimately compromising thousands of personal, confidential and proprietary records.

Go

LabMD’s Waiting Game: Lingering Questions over FTC’s Authority in Data Security Matters

A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek.  Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.

Go

Federal Appeals Court Set to Issue One of the Most Important Privacy Rulings in a Generation

For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad.  It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.

Go

DHS Warns of New Ransomware Threats

The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.

Go

Traditional General Liability Policy Covers Medical Records Mishap

A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.

Go

On the Front Lines of Cybersecurity: The Corporate Challenge

Recent surveys tell us that cybersecurity is the top risk faced by corporate America.  The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern.  And their general counsel agree.  In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.

Go

Are You Adequately Protected by Your Cybersecurity Insurance? The Sky is the Sub-Limit

For businesses and nonprofit organizations searching for cyber insurance, it is important to know if your coverage limits are adequate.  Whether you are in the market for a new policy or renewing an existing one, you should explore whether your policy has a “sub-limit” that places limitations on your losses and liabilities that may be covered.

Go

CFPB’s First Data Security Consent Order: No Breach Required

On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service.  The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices.  The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.

Go

FTC Reviews Case Over Legal Standard For Data Security Enforcement Action

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision.  The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

Go

The CFTC Proposes Enhanced Cybersecurity Testing Rules

On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.

Go

FDIC & Cyber: Words of Warning to Financial Institutions and their Boards

Financial institutions sit atop a wealth of personal information – not to mention money.  In an interconnected world in which sensitive customer information is stored on servers and in the cloud – and online and mobile banking have become the norm – the Federal Deposit Insurance Corporation (FDIC) is the latest federal regulator to warn financial institutions to make cybersecurity a top priority.

Go