The New York Department of Financial Services (“DFS”) released their proposed second amendment to the Cybersecurity Regulation, 23 NYCRR Part 500 (“Proposed Second Amendment”) on October 9, 2022. DFS issued a minor amendment on April 2, 2020, revising the certification of compliance date (from February to April). The Proposed Second Amendment follows DFS’s “pre-proposed” draft […]
UK’s National Cyber Security Centre Releases 2022 Annual Review
The United Kingdom’s National Cyber Security Centre (NCSC) recently released its 2022 Annual Review, which reports on the state of cyber security threats in the country. As the UK’s technical authority for cyber security, the NCSC releases an annual report covering the cyber threats from the prior 12 months as well as analysis of potential […]
FTC Takes Action Against Ed Tech Provider for Failure to Secure Student’s Personal Information
On October 31, 2022, the Federal Trade Commission (FTC) announced it has taken action against education technology provider Chegg Inc. (“Chegg”) for its “careless” cybersecurity practices that exposed sensitive personal information of millions of its customers and employees. This action highlights the FTC’s continued efforts to aggressively protect consumer personal data. The FTC’s complaint alleges […]
Recent FTC Order Has Implications for Executive Liability and Corporate Data Minimization Practices
On October 24, 2022, the Federal Trade Commission (“FTC”) announced a proposed consent order against both Drizly LLC, an online marketplace for alcohol delivery, and its CEO over the company’s alleged security failures that led to a data breach in 2020, which exposed the personal information of approximately 2.5 million Drizly customers. Drizly and its […]
NYDFS Announces Significant Cybersecurity Settlement with EyeMed Vision Care
On October 18, 2022, EyeMed Vision Care LLC (“EyeMed”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) relating to a cybersecurity event from 2020 that exposed consumer nonpublic information (“NPI”) to an unauthorized individual. EyeMed agreed to pay DFS a $4.5 million penalty, in addition to implementing mandatory remediation […]