Insurance Industry Moves Towards 72-Hour Breach Notification

Cybersecurity regulators appear to be converging on 72-hour breach notification.  First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model Law (“Model Law”) – all with a 72-hour breach notification requirement.

We have previously posted about how the Model Law closely tracks the NYDFS cybersecurity … Continue Reading

The Rise of State Consumer Protection Act Cyber Cases

Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these claims, but plaintiffs and regulators are increasingly having success with allegations of unfair business practices.  At the federal level, the Federal Trade Commission (“FTC”) has … Continue Reading

Cybersecurity and Vulnerability Assessments: Evolving Law on Hacking and Extortion in the Age of Bug Bounties

Companies and law enforcement are increasingly turning to white hat hackers for help.  The FBI apparently paid consultants over $1,000,000 to unlock an iPhone used by one of the shooters in the San Bernardino attacks, and companies such as Microsoft, Uber, Facebook, and Google are paying hackers tens of thousands of dollars to find vulnerabilities in their systems.  Davis Polk’s recent cybersecurity webcast discusses why companies are using pools of white hat hackers for certain … Continue Reading

Another Law Firm Suffers a Major Cyber Breach as Millions of Sensitive Client Documents Are Made Public in the “Paradise Papers”

Appleby, a multi-national law firm known for its tax planning services, is the latest law firm to suffer a major cyber breach in an event that has been dubbed the “Paradise Papers.”  This breach mirrors the Panama Papers leak from two years ago, which exposed millions of documents from the Mossack Fonseca law firm.

Appleby, like Mossack Fonseca, is known for its high-net-worth clients and its use of offshore entities to assist them in tax … Continue Reading

More Tough Penalties for Late Breach Notification

On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification.  Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6 hour data breach notification requirement.   So, as we have been predicting for some time, it seems that regulators are starting to step up enforcement and … Continue Reading

One Million Dollar Breach Notification Fine for Indian Bank Shows Increased Efforts by Regulators to Force Information Sharing Following a Breach

The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification.  On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations.  Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016.  … Continue Reading

Upcoming Webcast: Cyber Security and Vulnerability Assessments: Evolving Law on Hacking and Extortion in the Age of Bug Bounties

Register for Webcast

Please join us on November 15, 2017, 12:00 pm to 1:00 pm ET for a discussion on cyber vulnerability assessments and the evolving law on hacking and/or extortion, including:

  • Why companies are turning to pools of hackers to test their cyber defenses.
  • The line between lawful and unlawful conduct for white hat hackers trying to uncover a company’s cyber vulnerabilities.
  • The new DOJ guidelines on these kinds of vulnerability assessments.
  • How to
Continue Reading

Reducing Unneeded Data Becoming Part of Cybersecurity Best Practices

In our cybersecurity and data management webcast now available below, Davis Polk partners Avi Gesser, Gabe Rosenberg, and associate Matt Kelly, recently discussed getting rid of old documents to reduce cyber risk.

To avoid ending up in the news as the latest victim of a cyber-attack, companies are looking to improve their data security.  One way is data reduction─getting rid of old data that you don’t need for business purposes and you … Continue Reading

After Equifax, to Whom Should the CISO Report?

During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel.  This has caused several companies to question their own reporting structures for cybersecurity issues.  So what is the right structure for CISO reporting?  As usual, there is no one right or wrong answer.

We have seen many different reporting structures for CISOs … Continue Reading

FinRegReform Blog Post: Security Concerns Prompt Questions Regarding Whether the SEC Should Delay the CAT

The Davis Polk Financial Regulation Reform Team recently blogged about the breach of the SEC’s EDGAR database and how that breach impacts the Consolidated Audit Trail (“CAT”)

“In the wake of a highly-publicized cybersecurity breach involving the SEC’s EDGAR system, SEC Chairman Jay Clayton has been in the hot seat at recent congressional hearings, fielding pointed questions as to whether the SEC should delay implementation of the Consolidated Audit Trail (“CAT”).  The SEC has not … Continue Reading

LexBlog