Category Archives: Cybercrime & Cybersecurity

Blockchain and the New Regulatory Havens

by Omri Marian

Over the past few years, small jurisdictions that are known as “tax havens” have been engaged in a race to become leading hubs for blockchain technology. In a recent article, I explore the extent of this phenomenon, its drivers, and its regulatory ramifications. In short, I argue that the traditional tax havens model is in decline due to recent coordinated international efforts to shut down abusive tax havens practices. Blockchain technology, however, offers similar commodities as offered by tax havens jurisdictions. Blockchain technology is not (yet) subject to coordinated international regulatory efforts. Tax havens seem to have identified the opportunity to offer their traditional regulatory commodities’ via the medium of the blockchain technology. I argue that the rise of so-called “Blockchain Havens” presents significant regulatory challenges that can only be addressed via coordinated global efforts. Continue reading

Ephemeral Messaging for Businesses: Balancing the Risks of Keeping and Deleting Data by Default

by Avi Gesser, Daniel F. Forester, and Mengyi Xu

One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data.  By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with their regulatory obligations.  But getting rid of old data isn’t easy, in part because of the legal limitations on what can be deleted.  We have previously written about these challenges, as well as the benefits of data minimization, which include reducing:

  • the growth of a company’s data over time, and the associated storage costs;
  • lost productivity associated with searching large volumes of irrelevant data;
  • the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering CCPA and GDPR-type rights of access and erasure;
  • internal audit and compliance risks;
  • contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed); and
  • the volume of documents that may be unhelpful to the company in potential, but not yet reasonably anticipated, litigation or regulatory inquiries.

Continue reading

Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks

by

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works.  But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for new laws.  Instead, they are refitting existing laws to meet their data privacy and security objectives. Continue reading

Incoming DFS Chief Calls Cyber the “Number One Threat” Facing Industry and Government

by Craig A. Newman and Alejandro H. Cruz

The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.

Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled. Continue reading

The FTC Moves Toward a Rules-Based Approach to Cybersecurity Regulation for Financial Institutions

by Avi Gesser, Kelsey Clark, Jennifer E. Kerslake, and Eric McLaughlin

In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation.  Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into its Standards for Safeguarding Customer Information rule (the “Safeguards Rule”).  The proposal would also expand the Safeguards Rule’s definition of “financial institution” to include “finders,” or companies that connect potential parties to a transaction.  As a reminder, the Safeguards Rule applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities, including non-bank mortgage lenders, payday lenders, finance companies, check cashers, money transmitters, collection firms, and tax preparers. Continue reading

Does the California Consumer Privacy Act Empower the Consumer and Generate Trust?

by Lynn Haaland

The California Consumer Privacy Act (CCPA) is an important development for companies doing business in California, that have revenues above a minimal threshold – which effectively means that the act will impact many of the largest companies doing business in the United States.  On Monday, February 25, 2019, Senate Majority Leader Hertzberg, who represents the eastern San Fernando Valley senate district and who was recently selected as Senate Majority Leader, addressed a group in downtown San Francisco about the CCPA.[1]  Senator Hertzberg, along with California State Assembly member Ed Chau, were the primary architects of the CCPA.  For this reason, Senator Hertzberg’s comments about the CCPA are worth paying attention to. Continue reading

Cyber Monitoring Employees Part 2 – Insider Threats Continue After Employees Leave

By

We recently wrote about companies monitoring employees to reduce cybersecurity risks.  Those insider threat risks do not end when employees leave the company.  Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith.  Companies must therefore take steps to protect their data from walking out the door with exiting employees. Continue reading

Uncertain Regulatory Theory and Law Hampers Consumer IoT Cybersecurity

Banner with Program on Corporate Compliance's name and logo that announces this post is a student fellow blog post

by Samuel G. Bieler

This is the second in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The first part may be found here.

Poor regulation of the consumer IoT electronics sector compounds the negative market incentives discussed in the first part of this series. While standards for IoT devices are taking shape in some sectors of the U.S. economy, no similar regime has been developed for the broad consumer IoT electronics market. Moreover, little expert consensus has developed as to what such a regime would look like even if the political will existed to implement it. Such a regime would also have to contend with the challenges of regulating a market where many key actors are overseas. These challenges need not pose an insuperable barrier to developing a sound regulatory regime but do suggest that far more thought needs to be put into understanding what IoT regulation would actually look like. Continue reading

The Weakness in Two-Factor Authentication—Your Lost Phone Policy

by Avi Gesser, John R. Kapp, and Michelle Adler

Two-Factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost phone protocols.

Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS cyber rules (PDF: 97.5 KB), the NIST identification and authentication requirements, the Payment Card Industry (PDF: 1.05 MB) (“PCI”) Data Security Standard 8.3, as well as the proposed amendments to GLBA.

MFA involves confirming that a purposed user of a certain login credential and password is actually the authorized user, by employing an additional verification method, such as a passcode sent to an employee’s phone by text message or through an authenticator app like Duo or Google Authenticator.  But, not all forms of verification are equal.  In 2016, the NIST considered not recommending SMS messages as a form of second-factor authentication due to their susceptibility to being redirected by attackers. Continue reading

NFA Members Should Prepare for Onerous New Breach Notification Requirements

by Avi Gesser, Jai Massari, Kelsey Clark, and Daniela Dekhtyar-McCarthy

On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect.  These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers.  They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.”  These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).

Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:

  • any loss of customer or counterparty funds;
  • any loss of an NFA Member’s own capital; or
  • the NFA Member providing notice to customers or counterparties under state or federal law.

Continue reading