The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. … Continue Reading
During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel. This has caused several companies to question their own reporting structures for cybersecurity issues. So what is the right structure for CISO reporting? As usual, there is no one right or wrong answer.
We have seen many different reporting structures for CISOs … Continue Reading
Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC. With the recent Equifax breach, this appears to be changing.
The Massachusetts Attorney General filed a complaint against Equifax on September 17, 2017, asserting that Equifax violated Massachusetts Data Security Regulations by failing to safeguard personal information of credit applicants. … Continue Reading
The National Association of Insurance Commissioners (“NAIC”) has signaled that insurance regulators may be the first government agencies to adopt the framework for cybersecurity regulation that was recently set out in the New York Department of Financial Services (“NYDFS”) cybersecurity rules, which went into effect on August 28, 2017.
The Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force of NAIC approved the Insurance Data Security Model Law (“Model Law”) in August … Continue Reading
Today marks the first deadline for entities regulated by the New York Department of Financial Services (“NYDFS”) to comply with certain provisions of the recent NYDFS cybersecurity rules. The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns. The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a … Continue Reading
We are pleased to announce that client beta testing has begun for the Davis Polk Data Breach Notification Resource Portal—a secure online suite of tools designed to assist clients in preparing and planning for a possible data breach, and help them comply with state and federal law obligations to inform customers, regulators, and law enforcement. Utilizing a simple, query-based portal, the Notification Assessment Tool allows clients to receive rapid privileged legal advice on notification … Continue Reading
We have issued a memo on recent proposed cybersecurity regulations by the New York State Department of Financial Services that would be more stringent than existing federal requirements for certain financial entities. The memo highlights similarities and differences between the proposed regulations and federal regulations and guidance.