Tag Archives: Matthew Kelly

New York DFS Issues Guidance for Adoption of Affiliates’ Cybersecurity Programs

by Greg Andres, Matthew Bacal, Martine Beamon, Angela Burgess, Robert Cohen, Gabriel Rosenberg, Margaret Tahyar, James Haldin, Matthew Kelly, and Daniel Newman

The New York DFS issued new guidance regarding a covered entity’s reliance on an affiliate’s cybersecurity program. The guidance explains DFS’s view that, when a covered entity relies on an affiliate’s program, DFS has authority to examine the affiliate’s program.

Since 2017, New York’s Cybersecurity Regulation, 23 N.Y.C.R.R. Part 500, has required any “Covered Entity”—that is, any entity regulated by New York’s Department of Financial Services (DFS)—to maintain a risk-based cybersecurity program consistent with certain prescriptive technical and procedural requirements. These requirements, the DFS has maintained, are designed to ensure that the Covered Entity’s program adequately protects the Covered Entity’s information systems and the nonpublic information maintained on them.

Continue reading

Navigating Cross-Border Data Transfers: Lessons from the Sedona Conference Commentary

by Matthew Kelly and Will Schildknecht 

New commentary from a respected think tank attempts to provide guidance on cross-border data transfers. The guidance proposes principles for determining which country’s law to apply to a cross-border transfer. Although there is no guarantee that the guidance will gain favor with courts or regulators, it is an important indicator of what the future may hold for this important and undeveloped area of law. While the commentary does not provide concrete steps to lawfully effect cross-border data transfers today, companies can infer several lessons, detailed below, from the issues highlighted in the commentary. Continue reading

A 14.5 Million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

by Avi Gesser, Matthew Kelly, Will Schildknecht, Dr. Vera Jungkind (Hengeler Mueller), and Dr. Carolin Raspé (Hengeler Mueller)

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have implemented effective data minimization programs are careful to collect only the data that they are likely to use, and routinely get rid of old data that they no longer need, thereby significantly reducing their data protection risks.  A recent enforcement action by the Berlin Data Protection Commissioner echoes recent U.S. regulatory developments in suggesting that companies without data minimization procedures face not only increased cybersecurity and privacy risks, but also regulatory risks—ones that can lead to penalties even when they don’t lead to a specific cyber incident.  In other words, data minimization is becoming a stand-alone regulatory obligation, in addition to being a key component of cybersecurity best practices. Continue reading

The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

by Avi Gesser, Matthew Kelly, Will Schildknecht, and Clara Y. Kim

By now, most major U.S. companies are generally aware of the new privacy requirements (PDF: 187 KB) that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information.  But, at least in the short term, it is likely that the CCPA’s cybersecurity requirements will have the most significant impact on companies.

Unfortunately, the CCPA does not spell out its cybersecurity requirements explicitly.  Rather, it creates a private right of action for California consumers against companies that have experienced a cyber breach if their personal information has been taken by an unauthorized person.  A successful action requires that the exfiltration or disclosure be of unencrypted personal data and result from the company’s violation of its duty to implement and maintain reasonable security procedures and practices. § 1798.150(a)(1). Continue reading