Upcoming Webcast: Cyber Security and Data Management

Register for Webcast

Please join us on October 11, 2017 from 12:00 pm to 1:00 pm ET for a discussion on the evolving law and practice on the document management aspects of cyber security, including:

  • Regulators’ expectation for companies regarding deleting old non-public data to reduce cyber risk.
  • The interactions between the Federal Rules of Civil Procedure on electronic document spoliation and responsible cyber security data management.
  • Using predictive coding and data analytics to identify
Continue Reading

NYDFS Cybersecurity Rules Inspires Insurance Data Security Draft Model Law

The National Association of Insurance Commissioners (“NAIC”) has signaled that insurance regulators may be the first government agencies to adopt the framework for cybersecurity regulation that was recently set out in the New York Department of Financial Services (“NYDFS”) cybersecurity rules, which went into effect on August 28, 2017.

The Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force of NAIC approved the Insurance Data Security Model Law (“Model Law”)  in August … Continue Reading

Today (August 28) Marks the First NYDFS Cybersecurity Compliance Deadline, With a Certification Deadline Less Than Six Months Away

Today marks the first deadline for entities regulated by the New York Department of Financial Services (“NYDFS”) to comply with certain provisions of the recent NYDFS cybersecurity rules.  The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns.  The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a … Continue Reading

The HBO Hack: Preparing for a Cyber Breach Extortion

Earlier this month, HBO disclosed that it is the latest victim of cyber breach extortion, which involves criminals hacking into a company’s computer system, extracting sensitive information (e.g., emails of executives) or valuable intellectual property (e.g., unreleased television scripts or episodes), and then threatening to make the information public if a ransom is not paid, usually in Bitcoin.  In the HBO case, the hackers claim that this is their 17th target and that all … Continue Reading

Announcing our Cybersecurity Blog; One Month Until the NYDFS Cybersecurity Rules Take Effect

With about a month to go until the first set of NYDFS’s cybersecurity rules go into effect (on August 28, 2017), we are proud to announce the formal launch of the Davis Polk Cyber Breach Center.  The blog will help you keep pace with industry best practices and be aware of your company’s cybersecurity obligations, including those relating to the NYDFS rules.  Aside from posts about developments in cybersecurity, the blog includes information about … Continue Reading

NYDFS Provides Guidance on When Unsuccessful Cyber Attacks Should Be Reported

When the New York Department of Financial Services (“NYDFS”) issued its new cybersecurity rules in March, one question came up frequently:  When are covered entities required to report an unsuccessful cyber attack?  The rules provide that notification must be made to the NYDFS within 72 hours from a determination that a cybersecurity event has occurred that has a reasonable likelihood of materially harming normal operations, and the definition of a cybersecurity event includes an unsuccessful … Continue Reading

Beyond Prevention: Regulators Focus on Cyber Resilience, Highlighting Importance of Risk Assessment

In a Risk Perspective released on July 7, 2017, the Office of the Comptroller of the Currency (“OCC”) emphasized the need for institutions to be cyber resilient – i.e., be able to respond to cyber attacks by managing various risks.  Acting Comptroller Keith Noreika noted in a speech on the same day that “[e]ffective risk management promotes timely detection, response and escalation of operational issues to reduce customer impact due to product failures, possible fraud, … Continue Reading

The PetyaWrap Attack, Anthem Data Breach Settlement, and NYDFS Cyber Regulations All Highlight that Companies Should Review Their Access Controls

Three recent cybersecurity events highlight the need for companies to review their access controls to limit who has administrator privileges and how long those elevated privileges last.

First, this week, computer malware that has variously been called PetyaWrap, WannaCry2, GoldenEye and NotPetya began spreading in dozens of countries, encrypting computers and informing users that they could unlock their machines by paying a $300 ransom.  Although the malware first appeared to function as ransomware, it now … Continue Reading

Less than Half of Financial Firms Subject to NY DFS Expect to Meet the Deadline for Compliance

A new report from the Ponemon Institute indicates that less than half of the nearly 600 financial institutions surveyed expect to meet the February 2018 deadline for certification of compliance with all of the cybersecurity rules from NY DFS that are applicable to them. Of those, nearly one-quarter said there was “no chance” they would be able to do so. Notwithstanding these challenges, the DFS has indicated on the FAQ section of its website that … Continue Reading

Davis Polk’s Data Breach Portal and Breach Notification Assessment Tool Move to Client Beta Testing

We are pleased to announce that client beta testing has begun for the Davis Polk Data Breach Notification Resource Portal—a secure online suite of tools designed to assist clients in preparing and planning for a possible data breach, and help them comply with state and federal law obligations to inform customers, regulators, and law enforcement.  Utilizing a simple, query-based portal, the Notification Assessment Tool allows clients to receive rapid privileged legal advice on notification … Continue Reading

LexBlog