Companies and law enforcement are increasingly turning to white hat hackers for help. The FBI apparently paid consultants over $1,000,000 to unlock an iPhone used by one of the shooters in the San Bernardino attacks, and companies such as Microsoft, Uber, Facebook, and Google are paying hackers tens of thousands of dollars to find vulnerabilities in their systems. Davis Polk’s recent cybersecurity webcast discusses why companies are using pools of white hat hackers for certain … Continue Reading
Appleby, a multi-national law firm known for its tax planning services, is the latest law firm to suffer a major cyber breach in an event that has been dubbed the “Paradise Papers.” This breach mirrors the Panama Papers leak from two years ago, which exposed millions of documents from the Mossack Fonseca law firm.
Appleby, like Mossack Fonseca, is known for its high-net-worth clients and its use of offshore entities to assist them in tax … Continue Reading
On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification. Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6 hour data breach notification requirement. So, as we have been predicting for some time, it seems that regulators are starting to step up enforcement and … Continue Reading
The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. … Continue Reading
Please join us on November 15, 2017, 12:00 pm to 1:00 pm ET for a discussion on cyber vulnerability assessments and the evolving law on hacking and/or extortion, including:
- Why companies are turning to pools of hackers to test their cyber defenses.
- The line between lawful and unlawful conduct for white hat hackers trying to uncover a company’s cyber vulnerabilities.
- The new DOJ guidelines on these kinds of vulnerability assessments.
- How to
In our cybersecurity and data management webcast now available below, Davis Polk partners Avi Gesser, Gabe Rosenberg, and associate Matt Kelly, recently discussed getting rid of old documents to reduce cyber risk.
To avoid ending up in the news as the latest victim of a cyber-attack, companies are looking to improve their data security. One way is data reduction─getting rid of old data that you don’t need for business purposes and you … Continue Reading
During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel. This has caused several companies to question their own reporting structures for cybersecurity issues. So what is the right structure for CISO reporting? As usual, there is no one right or wrong answer.
We have seen many different reporting structures for CISOs … Continue Reading
The Davis Polk Financial Regulation Reform Team recently blogged about the breach of the SEC’s EDGAR database and how that breach impacts the Consolidated Audit Trail (“CAT”)
“In the wake of a highly-publicized cybersecurity breach involving the SEC’s EDGAR system, SEC Chairman Jay Clayton has been in the hot seat at recent congressional hearings, fielding pointed questions as to whether the SEC should delay implementation of the Consolidated Audit Trail (“CAT”). The SEC has not … Continue Reading
In a statement issued on Wednesday, September 20th, the U.S. Securities and Exchange Commission (SEC) revealed that it was investigating a 2016 data breach of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database. The SEC does not believe that personally identifiable information was exposed, but the investigation is still ongoing and raises questions regarding government agencies’ obligations to protect sensitive information, and the potential litigation challenges facing individuals who are impacted by hacks of … Continue Reading
Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC. With the recent Equifax breach, this appears to be changing.
The Massachusetts Attorney General filed a complaint against Equifax on September 17, 2017, asserting that Equifax violated Massachusetts Data Security Regulations by failing to safeguard personal information of credit applicants. … Continue Reading
Please join us on October 11, 2017 from 12:00 pm to 1:00 pm ET for a discussion on the evolving law and practice on the document management aspects of cyber security, including:
- Regulators’ expectation for companies regarding deleting old non-public data to reduce cyber risk.
- The interactions between the Federal Rules of Civil Procedure on electronic document spoliation and responsible cyber security data management.
- Using predictive coding and data analytics to identify
The National Association of Insurance Commissioners (“NAIC”) has signaled that insurance regulators may be the first government agencies to adopt the framework for cybersecurity regulation that was recently set out in the New York Department of Financial Services (“NYDFS”) cybersecurity rules, which went into effect on August 28, 2017.
The Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force of NAIC approved the Insurance Data Security Model Law (“Model Law”) in August … Continue Reading
Today marks the first deadline for entities regulated by the New York Department of Financial Services (“NYDFS”) to comply with certain provisions of the recent NYDFS cybersecurity rules. The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns. The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a … Continue Reading
Earlier this month, HBO disclosed that it is the latest victim of cyber breach extortion, which involves criminals hacking into a company’s computer system, extracting sensitive information (e.g., emails of executives) or valuable intellectual property (e.g., unreleased television scripts or episodes), and then threatening to make the information public if a ransom is not paid, usually in Bitcoin. In the HBO case, the hackers claim that this is their 17th target and that all … Continue Reading
With about a month to go until the first set of NYDFS’s cybersecurity rules go into effect (on August 28, 2017), we are proud to announce the formal launch of the Davis Polk Cyber Breach Center. The blog will help you keep pace with industry best practices and be aware of your company’s cybersecurity obligations, including those relating to the NYDFS rules. Aside from posts about developments in cybersecurity, the blog includes information about … Continue Reading
When the New York Department of Financial Services (“NYDFS”) issued its new cybersecurity rules in March, one question came up frequently: When are covered entities required to report an unsuccessful cyber attack? The rules provide that notification must be made to the NYDFS within 72 hours from a determination that a cybersecurity event has occurred that has a reasonable likelihood of materially harming normal operations, and the definition of a cybersecurity event includes an unsuccessful … Continue Reading
In a Risk Perspective released on July 7, 2017, the Office of the Comptroller of the Currency (“OCC”) emphasized the need for institutions to be cyber resilient – i.e., be able to respond to cyber attacks by managing various risks. Acting Comptroller Keith Noreika noted in a speech on the same day that “[e]ffective risk management promotes timely detection, response and escalation of operational issues to reduce customer impact due to product failures, possible fraud, … Continue Reading