Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

DollarOn February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated December 28, 2016, which we reported on in early January. Although most of the edits focused on relatively inconsequential wordsmithing, a few material changes were made, including the following:

  • Section 500.06(b) reduces the records retention requirement for audit trails designed to detect Cybersecurity Events (down to three years from five years).
  • Section 500.19(a)(1) specifies that the limited exemption for Covered Entities with fewer than 10 employees relates to employees that are “located in New York or responsible for business of the Covered Entity.”
  • Section 500.19(a)(2) clarifies that the limited exemption for Covered Entities that have less than $5 million in gross annual revenue in each of the last three fiscal years relates to revenue “from New York business operations.”
  • Section 500.19(f) exempts charitable annuity societies (subject to Insurance Law Section 1110), risk retention groups not chartered in New York (subject to Insurance Law Section 5904), and any accredited reinsurer or certified reinsurer pursuant to 11 NYCRR 125 – provided that these organizations do not otherwise qualify as a Covered Entity.

The Cybersecurity Regulation likely will have implications far beyond New York and the Covered Entities that are directly subject to the NYDFS’s enforcement authority. Given the significant number of financial institutions that will be required to comply, other regulators, clients, customers and counterparties may begin to view these new requirements as a baseline standard for cybersecurity in the financial industry.

Will the proposed “Countering Russian Hostilities Act” stop Russian cyberattacks?

connectivityOn Jan. 10, 2017, a bipartisan group of five Republican and five Democratic senators announced their support for the Countering Russian Hostilities Act of 2017. Lindsey Graham, one of the senators who announced the proposed legislation, told The Wall Street Journal that he is confident the bill will get overwhelming support.[1] One reporter agreed, stating the bill “has a good chance of being passed in the Senate.”[2]

Title I of the Countering Russian Hostilities Act would codify the sanctions imposed by President Barack Obama in the April 1, 2015, Executive Order 13694, as amended on Dec. 28, 2016. Title II of the legislation would codify sanctions imposed on Russia in response to its annexation of Crimea, its occupation of South Ossetia and Abkhazia, its invasion of Ukraine, and its actions in Syria.

Obama promulgated Executive Order 13694 in response to hacking by Chinese state-supported groups against U.S. government agencies and private businesses.[3] The executive order directed the secretary of the Treasury, in consultation with the attorney general and the secretary of state, to take actions against individuals and organizations that engaged in cyber-enabled activities originating from persons located outside the United States that were likely to result in or contribute to a threat to the national security, foreign policy, economic health or financial stability of the United States. The authorized actions included barring such individuals from traveling to the United States and blocking the transfer of U.S.-based funds and other assets of such persons. Continue Reading

FINRA Seeks Comment on Blockchain

DollarOn Jan. 18, 2017, the Financial Industry Regulatory Authority (FINRA) became the latest organization to weigh in on distributed ledger technology (DLT), also known as blockchain. Recognizing the growing interest and potential benefits surrounding the implementation of DLT, FINRA published a report examining the impact of blockchain on the financial services industry.

Blockchain is essentially an online database that is stored in a distributed, peer-to-peer fashion that employs cryptography, which ensures that only users with a unique, private key can edit the parts of the blockchain that they own while also ensuring that each user’s copy of the blockchain is kept in sync. DLT can be used to store any kind of digital information, and it serves as the foundation for the virtual currency Bitcoin. In the financial services industry, DLT has the potential to be a cost-saving, efficiency-gaining technology. By providing an immutable record of transactions and party identities, DLT could speed up transactions, cut operations costs, secure infrastructure and help prevent fraud. The emerging technology also could be adapted to carry out processes such as the clearing and settlement of securities. Continue Reading

Federal agencies given new breach response and preparation guidelines

Data Breach_GettyImages_515745835The White House has made a step toward implementing in federal agencies some breach response best practices currently used in the private sector. On Jan. 3, the White House issued a memorandum (Memo) updating for the first time in almost a decade guidelines on how federal agencies should prepare for and respond to a breach of personally identifiable information. The Memo comes on the heels of a 27 percent increase (between 2013 and 2015) in the number of incidents reported by federal agencies and addresses certain “changes to laws, policies, and best practices that have emerged since the Office of Management and Budget first required agencies to develop plans to respond to a breach.”

The Memo first cites the all-too-familiar grim statistics concerning overall bad behavior in the digital privacy world. The identified bad behavior includes the familiar (e.g., identity theft and credit card fraud) and the relatively new (e.g., using stolen information to seek medical treatment and obtain prescription drugs). To address the ever-growing concern for protection in the digital world, the Memo lays out minimum agency requirements for responding to a breach, while allowing agencies to impose stricter standards at their discretion to address an agency’s particular mission and risks. As the Memo recognizes, an “effective detection and expeditious response to a breach is important to reduce the risk of harm to potentially affected individuals and to keep the public’s trust in the ability of the Federal Government…” Continue Reading

Swiss-U.S. Privacy Shield Framework to Launch April 12

connectivityOn January 11, 2017, the U.S. Department of Commerce, the Swiss Federal Council and the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued press releases announcing that an agreement has been reached on a new cross-border data transfer mechanism, the Swiss-U.S. Privacy Shield Framework (the Swiss Privacy Shield).

The Swiss Privacy Shield replaces its predecessor, the U.S.-Swiss Safe Harbor Framework, more than a year after the European Court of Justice (the “EJC”) invalidated the U.S.-EU Safe Harbor agreement. The ECJ’s decision led the Swiss government to conclude that the analogous U.S.-Swiss Safe Harbor program no longer provided a sufficient legal basis to protect Swiss personal data being transferred to the United States. Continue Reading

FTC Goes After IoT Device Manufacturer for Alleged Security Vulnerabilities in Routers, IP Cameras

Federal Trade Commission Doorway SignOn January 6, the Federal Trade Commission (FTC) announced that it had filed a complaint against Taiwanese D-Link Corp. and its U.S. subsidiary, D-Link Systems Inc. (D-Link), alleging the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. The case is noteworthy for the fact that the FTC did not cite an actual breach affecting D-Link’s devices; rather, it brought the action based on alleged potential harm to consumers that could result from security vulnerabilities associated with the devices.


D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to monitor the safety of their homes, young children and even pets by allowing access to live feeds from their cameras using their mobile devices or a computer.

The FTC alleges that D-Link failed to protect against “widely known and reasonably foreseeable risks of unauthorized access” to the routers and cameras, thus endangering the privacy and security of their customers. These failures, the FTC asserts, could lead to the exploitation of the devices and exposure of consumer information to attackers. Continue Reading

Tax Season Is in Full Swing: Beware of the W-2 Spear Phishing Scam

Phishing ScamLast year we saw an unprecedented number of companies of all sizes fall victim to a W-2 spear phishing scam. The scam usually began with a “spoofing” email that appeared to have been sent by a company’s CEO or CFO to one or more employees in the human resources or payroll department. The email typically requested that all of the company’s employees’ W-2s be sent in PDF format via return message or uploaded to a file sharing site. Unbeknownst to the human resources or payroll department employees, the email did not come from the CEO or CFO but a criminal who had conducted some research to, at the very least, identify the names and email addresses of the CEO or CFO as well as the targeted human resources or payroll department employees. Here is an example:




Subject:             Treat as Urgent

Date:                 March 7, 2016 10:55 AM


Hi Tony,

I need copies of all employees’ W-2 wage and tax statements for 2015 to complete a business transaction. I need them in PDF format. You can send them as an attachment.


Jim Smith


Continue Reading

Massachusetts Breach Notifications Will Now Be Publicly Available Online

connectivityOn Jan. 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced that it will begin making its data breach notification archive publicly available online. Previously, data breach notifications filed with the Massachusetts attorney general were only available through public records requests. The change was made pursuant to the June 2016 amendment to the Public Records Law, which, among other things, authorized individual agencies to post public record information of significant interest that agencies deem appropriate.

“The Data Breach Notification Archive is a public record that the public and media have every right to view,” said Consumer Affairs Undersecretary John Chapman. “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records Law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.” Continue Reading

Data Breach Trends — 2016: the Year of Ransomware

Hacker wearing black glove clicking on ransomware buttonOver the past year, the BakerHostetler Incident Response team has closely monitored data breach trends, and we are confident in concluding that 2016 was the year of ransomware. Nothing has had a greater impact or has been as widespread in 2016 than ransomware.

From a hospital in California to a police department in Massachusetts, ransomware has been a plague for organizations large and small. And yet, despite being around for years, 2016 was the year ransomware became an epidemic. Security firm Kaspersky Labs estimates that in the third quarter of 2016, a ransomware infection was occurring every 30 seconds, and a November 2016 study by SentinelOne found that half of all companies surveyed reported a ransomware attack in the past 12 months. With the FBI announcing that ransomware was on track to be a billion-dollar criminal enterprise, it’s no secret that money has been fueling this outbreak. Continue Reading

New York Department of Financial Services Issues Revised Cybersecurity Regulations

With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were slated to go into effect on January 1, 2017. The updated Proposal retains many core concepts from the first, establishing “certain regulatory minimum standards” relating to cybersecurity protections for the customer information and IT systems of banks, insurance companies and other NYDFS-regulated financial institutions. But multiple provisions have undergone substantial revision, ostensibly to address the many concerns and objections that NYDFS received during the 45-day comment period following its September publication of the original version. Continue Reading