September 4, 2018 marks the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include the encryption and audit trail requirements as well as ones relating to the implementation of monitoring policies, procedures, and controls, application security, and data retention limitations.
Encryption (500.15): The regulation requires covered entities to encrypt Nonpublic Information held or transmitted by a covered entity both in transit over external [...] Read more
On Friday, the Consumer Financial Protection Bureau announced its “finalized amendments” to Regulation P, an implementing regulation of the federal financial Gramm Leach Bliley Act. Regulation P governs the provision of privacy notices for covered financial institutions. In response to legislation passed by Congress in late 2015, the final rule issued Friday permits financial institutions to avoid providing annual privacy notices to customers in certain circumstances. In addition, in cases where the annual notice requirement remains, the final rule permits financial institutions additional [...] Read more
Virginia amended the state’s data breach notification law, effective July 1, 2017, to expand notification requirements for employers and payroll service providers to data breaches that involve “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a [Virginia] taxpayer’s identification number in combination with the income tax withheld for that taxpayer. . . .”[1]
The expanded notification obligation is subject to the same likelihood of harm threshold that applies in the original law. Notification is required only when the employer or payroll [...] Read more
More regulators (apart from the FTC) are now taking note of cybersecurity issues in the financial services industry and are taking steps to protect the industry and its consumers.
Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) issued its first enforcement action on data security against an online payment system. In June, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body, issued a press release advising financial institutions to review their risk-management practices. Last month, the New York State Department of Financial [...] Read more
On Tuesday, October 11, 2016, the D.C. Circuit Court issued its opinion in PHH Corp. v. Consumer Financial Protection Bureau, holding that the Consumer Financial Protection Bureau (CFPB) was unconstitutionally structured. In the majority opinion, Judge Kavanaugh described the position of CFPB Director as, in terms of unilateral authority, “the single most powerful official in the entire U.S. Government, other than the President.” (Maj. Opinion at 27). The Court’s ruling severs the for-cause removal protection provision for the Director from the Dodd-Frank Act, repositioning the CFPB as an [...] Read more
The Federal Trade Commission held its PrivacyCon event, featuring nineteen presentations showcasing original research regarding important consumer privacy and security issues by leading academics from universities and think tanks from around the world. A full video recording of the webcast is available here.
The conference took place in Washington on Jan. 14, 2016, and included discussion about the policy implications of the research being conducted with thought leaders from academia, research, consumer advocacy, and industry.
FTC Commissioner Julie Brill succinctly outlined the top concerns [...] Read more
Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement warning of an “increasing frequency and severity of cyber attacks involving extortion.” The statement warned that criminals have been extorting financial institutions using a variety of tactics, including denial of service attacks, theft of sensitive information, and use of “ransomware,” which is software that prevents legitimate users from accessing company files unless a ransom is paid. To protect against these attacks, the FFIEC encouraged financial institutions to “develop and implement [...] Read more
Jan Dhont, Brussels partner and head of the firm’s European Privacy and Data Protection practice authored the Corporate Counsel article, “The Sinking of the Safe Harbor: Just Another Symbolic Decision?” In the article, Dhont discusses the concerns and uncertainty stemming from the October 6 European Court of Justice strike-down of Safe Harbor, and where companies may go from here. This ruling is a matter of global concern and may actually result in less privacy for individuals, not more.
Dhont notes that while there are mid- to long-term solutions to take the place of Safe Harbor, [...] Read more
In a concise statement, the Article 29 Working Party (WP29), a consortium of European Data Protection Authorities (DPAs), released a position paper today about the landmark ruling of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner (C-362-14).
WP29 makes a political call on the EU Member States to finalize discussions with the US authorities on a political and legal solution for the transfer of personal information from the EU to the US. The solution should ensure that strong guarantees are provided to EU data subjects against US surveillance. WP29 calls [...] Read more
On October 20, Alston & Bird will host a panel discussion with FTC Commissioner Julie Brill. The event will be broadcast as a webinar. Commissioner Brill will discuss the future of U.S. – European privacy with Brussels Partner Jan Dhont and Senior Counsel Peter Swire. The discussion will be moderated by Partner Jim Harvey.
This timely discussion with Commissioner Brill follows the European Court of Justice’s rejection of the Safe Harbor framework in the judgment issued on October 6. That rejection affects thousands of businesses engaged in E.U. – U.S. data transfers. Meanwhile, the [...] Read more
