by Craig A. Newman and Alejandro H. Cruz
The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.
Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled. Continue reading
by Avi Gesser, Kelsey Clark, Jennifer E. Kerslake, and Eric McLaughlin
In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation. Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into its Standards for Safeguarding Customer Information rule (the “Safeguards Rule”). The proposal would also expand the Safeguards Rule’s definition of “financial institution” to include “finders,” or companies that connect potential parties to a transaction. As a reminder, the Safeguards Rule applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities, including non-bank mortgage lenders, payday lenders, finance companies, check cashers, money transmitters, collection firms, and tax preparers. Continue reading
by Lynn Haaland
The California Consumer Privacy Act (CCPA) is an important development for companies doing business in California, that have revenues above a minimal threshold – which effectively means that the act will impact many of the largest companies doing business in the United States. On Monday, February 25, 2019, Senate Majority Leader Hertzberg, who represents the eastern San Fernando Valley senate district and who was recently selected as Senate Majority Leader, addressed a group in downtown San Francisco about the CCPA. Senator Hertzberg, along with California State Assembly member Ed Chau, were the primary architects of the CCPA. For this reason, Senator Hertzberg’s comments about the CCPA are worth paying attention to. Continue reading
We recently wrote about companies monitoring employees to reduce cybersecurity risks. Those insider threat risks do not end when employees leave the company. Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith. Companies must therefore take steps to protect their data from walking out the door with exiting employees. Continue reading
by Samuel G. Bieler
This is the second in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The first part may be found here.
Poor regulation of the consumer IoT electronics sector compounds the negative market incentives discussed in the first part of this series. While standards for IoT devices are taking shape in some sectors of the U.S. economy, no similar regime has been developed for the broad consumer IoT electronics market. Moreover, little expert consensus has developed as to what such a regime would look like even if the political will existed to implement it. Such a regime would also have to contend with the challenges of regulating a market where many key actors are overseas. These challenges need not pose an insuperable barrier to developing a sound regulatory regime but do suggest that far more thought needs to be put into understanding what IoT regulation would actually look like. Continue reading
by Avi Gesser, John R. Kapp, and Michelle Adler
Two-Factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost phone protocols.
Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS cyber rules (PDF: 97.5 KB), the NIST identification and authentication requirements, the Payment Card Industry (PDF: 1.05 MB) (“PCI”) Data Security Standard 8.3, as well as the proposed amendments to GLBA.
MFA involves confirming that a purposed user of a certain login credential and password is actually the authorized user, by employing an additional verification method, such as a passcode sent to an employee’s phone by text message or through an authenticator app like Duo or Google Authenticator. But, not all forms of verification are equal. In 2016, the NIST considered not recommending SMS messages as a form of second-factor authentication due to their susceptibility to being redirected by attackers. Continue reading
by Avi Gesser, Jai Massari, Kelsey Clark, and Daniela Dekhtyar-McCarthy
On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect. These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers. They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.” These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).
Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:
- any loss of customer or counterparty funds;
- any loss of an NFA Member’s own capital; or
- the NFA Member providing notice to customers or counterparties under state or federal law.
By Avi Gesser and David Robles
New cyber regulations, such as the California Consumer Privacy Act, have companies concerned about expanding potential liability. Companies fear that private rights of action are being created that will allow consumers to sue by alleging that the companies failed to protect their personal information. But attention should also be paid to plaintiffs’ recent successes in applying existing legal frameworks—such as basic tort law—to cyber cases. We have previously written about the use of state consumer protection acts to recover in data breach cases. Recently, plaintiffs have also made some significant inroads in bringing negligence actions against companies that have experienced cyber events.
On January 28, 2019, the U.S. District Court for the Northern District of Georgia issued a decision in the Equifax Consolidated Consumer Class Action, allowing the consumers’ negligence claims against Equifax to move forward. Judge Thrash found that the consumers had sufficiently alleged injuries resulting from the breach, pointing to the “unauthorized charges on their payment cards as a result of the Data Breach” as actual, concrete injuries that are legally cognizable under Georgia law. The Court rejected Equifax’s arguments that the consumer’s injuries should be attributed to the hackers and could have been caused by data breaches at other companies. The Court noted that allowing companies “to rely on other data breaches to defeat a causal connection would ‘create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable.’” Critically, the Court found that, given the foreseeable risk of a data breach, Equifax owed consumers an independent legal duty of care to take reasonable measures to safeguard their personal information in Equifax’s custody. In doing so, the Court found that the economic loss doctrine was not a bar to the consumers’ recovery because Equifax owed an independent duty to safeguard personal information. Continue reading
by Samuel G. Bieler
This is the first in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The second part may be found here.
Cybersecurity in U.S. consumer Internet of Things (“IoT”) electronics is remarkably weak and this vulnerability is driven, in large part, from the economics behind these devices. Consumers lack the knowledge to make cybersecurity-informed purchasing decisions even if they are willing to do so – and many are not, particularly for low-end items. This means manufacturers are not rewarded for building good cybersecurity into their devices and may even be punished. Developers who take the time to build security into their devices may lose the race to the market and the advantages that come with getting a product there first. Collectively, these factors make it unlikely that market dynamics alone will improve cybersecurity in the consumer IoT market. Policy interventions will be necessary to mitigate some of these economic incentives.
The consumer IoT electronics market consists of devices designed for daily household use, whose primary purpose is not internet-enabled communication or browsing. This narrow definition cabins the analysis of the IoT sector to a ubiquitous and problematic set of products. It includes everyday goods like baby-monitors, refrigerators, and even toasters whose operation is enhanced with or facilitated by an internet connection. It excludes goods not used in the home like cars with internet capabilities or components of complex industrial systems (PDF: 3.66 MB). Continue reading
by Maria T. Vullo
Recently, the White House chief of staff announced that a major priority of the federal administration is de-regulation. According to the proponents of de-regulation, companies should be free to determine their own risks without governmental interference. This view is myopic and, if continued, will lead to increased risk to our financial system. Certainly, cybersecurity is not an area that should be part of any de-regulatory agenda.
The job of the regulator, particularly in the financial services industry, is to ensure the safety and soundness of an industry that serves the public. Promoting a compliance culture is a key part of the regulator’s job. For government actors to make political statements about the propriety of regulations as a binary proposition is a very bad idea. We have been there before and must resist the impulse to think it cannot happen again. Continue reading