One of the many difficult questions that companies face in the immediate aftermath of discovering a cyber breach is whether to inform their regulators or law enforcement. Assuming there is no mandatory disclosure obligation, some companies are reluctant to call the government because (1) they may not know all the facts yet, (2) they don’t want to waive privilege, and (3) they are worried that the company will become the target of an investigation into … Continue Reading
Cryptojacking is the newest cyber threat that companies are facing. It involves hackers accessing company servers in order to steal processing power, which is then used to mine cryptocurrencies.
With the recent increase in value of digital assets such as bitcoin, Ether, and Monero, it is not surprising that criminal hackers and rogue states are looking for ways to acquire these currencies, which they can use anonymously for various legal and illegal purposes. One way … Continue Reading
One of our cyber predictions for 2018 was that class action securities cases are going to become a major issue for companies involved in cyber events.
Large-scale data breaches often give rise to a variety of legal problems for the affected company, ranging from consumer class action litigation to congressional inquiries and state attorney general investigations. As we have discussed previously elsewhere, an additional emerging risk for breached companies is federal securities class action litigation… Continue Reading
Cybersecurity regulators appear to be converging on 72-hour breach notification. First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model Law (“Model Law”) – all with a 72-hour breach notification requirement.
The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. … Continue Reading
During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel. This has caused several companies to question their own reporting structures for cybersecurity issues. So what is the right structure for CISO reporting? As usual, there is no one right or wrong answer.
We have seen many different reporting structures for CISOs … Continue Reading
Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC. With the recent Equifax breach, this appears to be changing.
The Massachusetts Attorney General filed a complaint against Equifax on September 17, 2017, asserting that Equifax violated Massachusetts Data Security Regulations by failing to safeguard personal information of credit applicants. … Continue Reading
The National Association of Insurance Commissioners (“NAIC”) has signaled that insurance regulators may be the first government agencies to adopt the framework for cybersecurity regulation that was recently set out in the New York Department of Financial Services (“NYDFS”) cybersecurity rules, which went into effect on August 28, 2017.
The Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force of NAIC approved the Insurance Data Security Model Law (“Model Law”) in August … Continue Reading
Today marks the first deadline for entities regulated by the New York Department of Financial Services (“NYDFS”) to comply with certain provisions of the recent NYDFS cybersecurity rules. The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns. The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a … Continue Reading
We are pleased to announce that client beta testing has begun for the Davis Polk Data Breach Notification Resource Portal—a secure online suite of tools designed to assist clients in preparing and planning for a possible data breach, and help them comply with state and federal law obligations to inform customers, regulators, and law enforcement. Utilizing a simple, query-based portal, the Notification Assessment Tool allows clients to receive rapid privileged legal advice on notification … Continue Reading
We have issued a memo on recent proposed cybersecurity regulations by the New York State Department of Financial Services that would be more stringent than existing federal requirements for certain financial entities. The memo highlights similarities and differences between the proposed regulations and federal regulations and guidance.