Category Archives: New York State Law

The NYDFS Plans to Impose Significant Obligations on Insurers Using AI or External Data

by Eric DinalloAvi GesserErez LiebermannMarshal BozzoMatt KellyJohanna SkrzypczykCorey GoldsteinSamuel J. AllamanMichelle Huang, and Sharon Shaji

Photos of the authors

Top (from left to right): Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Matt Kelly
Bottom (from left to right): Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji (Photos courtesy of Debevoise & Plimpton LLP)

On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the final adoption of Colorado’s AI Governance and Risk Management Framework Regulation (“CO Governance Regulation”) and the proposed Colorado AI Quantitative Testing Regulation (the “CO Proposed Testing Regulation”), discussed here, and the National Association of Insurance Commissioners’ (“NAIC”) model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “NAIC Model Bulletin”), discussed here. In the same way that NYDFS’s Part 500 Cybersecurity Regulation influenced standards for cybersecurity beyond New York State and beyond the financial sector, it is possible that the Proposed Circular will have a significant impact on the AI regulatory landscape.

The PCL builds on the NYDFS’s 2019 Insurance Circular Letter No. 1 (the “2019 Letter”) and includes some clarifying points on the 2019 Letter’s disclosure and transparency obligations. The 2019 Letter was limited to the use of external consumer data and information sources (“ECDIS”) for underwriting life insurance and focused on risks of unlawful discrimination that could result from the use of ECDIS and the need for consumer transparency. The Proposed Circular incorporates the general obligations from the 2019 Letter, adding more detailed requirements, expands the scope beyond life insurance, and adds significant governance and documentation requirements.

Continue reading

Cryptoasset Developments: Observations on the Thawing Crypto Winter

by Kevin S. Schwartz, Rosemary SpazianiDavid M. AdlersteinSamantha M. Altschuler, and Sabina M. Beleuz Neagu

Photos of the authors

Left to right: Kevin S. Schwartz, Rosemary Spaziani, David M. Adlerstein, Samantha M. Altschuler and Sabina M. Beleuz Neagu (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

The U.S. cryptoasset industry just rang in the new year with the watershed SEC approval of the first spot ETFs for a digital asset.  With the approval of the first bitcoin Spot ETFs, making possible a path for millions of Americans to have direct bitcoin exposure in retirement and other traditional investment accounts, it is an appropriate time to reflect on significant recent developments that may shape the crypto industry in the year to come.

Continue reading

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

Cybersecurity Experts React to NYDFS’s Amendments to its Cybersecurity Rules

Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.

Photos of the authors

Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)

Continue reading

NYDFS Proposes Updated Second Amendment to Its Cybersecurity Regulation

by Lisa Sotto and Michael La Marca 

Photos of the authors

Lisa Sotto and Michael La Marca (Photos courtesy of Hunton Andrews Kurth)

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published  an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.

Continue reading

The New York Attorney General Issues Guidance on Data Security Best Practices

by Avi Gesser, Erez Liebermann, Stephanie D. Thomas, and Basil Fawaz

Photos of the authors

Avi Gesser, Erez Liebermann, Stephanie D. Thomas, and Basil Fawaz. (Photos courtesy of Debevoise & Plimpton LLP)

On April 19, 2023, the New York Attorney General (the “NYAG”) published new guidance (the “Guide”) recommending security measures for companies entrusted with consumers’ personal information. The Guide supplements the reasonable safeguards already outlined in the New York Shield Act, which, in part, requires covered entities to maintain reasonable security measures when handling personal information related to New York residents. The Guide reinforces practices that regulators have focused on, such as authentication, encryption, third-party risk management, and data governance. While the Guide’s recommendations are only advisory, it details the NYAG’s Shield Act enforcement actions on the issues, and the Guide is meant to put companies “on notice that they must take their data security obligations seriously.” Following its issuance, the NYAG announced additional Shield Act enforcement actions, including with Practicefirst Medical Management Solutions, that highlighted many of the security concerns highlighted in the Guide.

Continue reading

NY Attorney General Seeks Broad Authority Over Digital Assets

by Luigi L. De Ghenghi, Boaz B. Goldwater, Randall D. Guynn, Joseph A. Hall, Justin Levine, Daniel E. NewmanDavid L. Portilla, Gabriel D. Rosenberg, Margaret E. Tahyar, and Zachary J. Zweihorn

Photos of the authors

From top left to right: Luigi L. De Ghenghi, Boaz B. Goldwater, Randall D. Guynn, Joseph A. Hall, and Justin Levine.
From bottom left to right: Daniel E. Newman, David L. Portilla, Gabriel D. Rosenberg, Margaret E. Tahyar, and Zachary J. Zweihorn. (photos courtesy of Davis Polk & Wardwell LLP)

The NY Attorney General is seeking legislation that would significantly expand the state’s reach over digital assets and require wholesale changes to the operation of digital asset businesses that choose to remain in New York.

Letitia James, the Attorney General of the State of New York (NYAG), released a proposed bill that—if taken up by the state legislature and enacted—would create the most comprehensive and restrictive digital asset regulatory regime in the United States.

Continue reading