All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice.
Continue Reading Encryption Considerations under Data Breach Notification Laws

One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations.

If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services, numerous unknown parties with varying degrees of security controls can have access to sensitive information without the companies’ knowledge. Companies can contractually address this exposure by requiring pre-approval of fourth parties, imposing security requirements that must be met by fourth parties and/or requiring security reviews of such fourth parties. Vendor and fourth-party risk can also be managed by cyber insurance policies.
Continue Reading Cyber Risk: Addressing the Elephant in the Room

The New York State Department of Financial Services (“DFS”) Cybersecurity Regulation (“Regulation”) took effect on March 1, 2017, and applies to those entities operating or required to operate under New York banking, insurance and finance laws (“Covered Entities”). Covered Entities should have been in compliance with portions of the Regulation as of August 28, 2017, for which they certified compliance on February 15, 2018.
Continue Reading Be Prepared for the September 3, 2018 Deadline for New York State Department of Financial Services Cybersecurity Regulation Requirements

With Alabama’s recent enactment of the Alabama Data Breach Notification Act of 2018 (“Act”), all 50 states now have their own data breach reporting statutes. Given the complexity of the current U.S. data breach reporting regime, which also includes statutory reporting obligations in jurisdictions like Puerto Rico and the District of Columbia, businesses with customers in more than one state must coordinate with advisors who have experience navigating this patchwork quilt of statutes.

On March 28, 2018, Alabama became the 50th (and final) state to enact a data breach notification law. The Act requires notification where a “good faith and prompt investigation” results in a determination that “sensitive personally identifying information” (“SPII”) of an Alabama resident has been acquired or is reasonably believed to have been acquired by an unauthorized person, “and is reasonably likely to cause substantial harm to the individuals to whom the information relates.” 
Continue Reading Now That All U.S. States Have Data Breach Laws, National Breach Reporting Is Even More Complex

The New York Department of Financial Services (“DFS”) recently issued two additional answers to frequently asked questions related to filing procedures required by the DFS Cybersecurity Regulation (“Regulation”). The new FAQs come in the wake of the Regulation’s first annual Certification of Compliance filing deadline of February 15, 2018. The DFS clarified that individual licensees who are required to file a Certification of Compliance are acting as a “Senior Officer” as defined in the Regulation. The DFS also offered guidance to Covered Entities regarding the use of an “Entity ID” to complete required filings via the DFS’ cybersecurity portal.
Continue Reading DFS Answers New FAQs Regarding Filing Procedures Under DFS Cybersecurity Regulation

The Department of Financial Services (“DFS” or “Department”) has issued notices to entities and licensees that it believes have failed to file a Certification of Compliance (“Certification”) pursuant to the Department’s Cybersecurity Regulation (“Regulation”). The Regulation required all DFS-regulated entities and licensed persons to submit a Certification by February 15, 2018 to verify compliance with

Understanding and Managing Cybersecurity Risks Posed by Third Parties

Data security laws and regulations increasingly require businesses and organizations to perform sufficient oversight of their third-party vendor’s data security protocols. The interconnectedness of businesses and organizations in today’s marketplace means that it is critical to assess your contracts with third-party vendors and service providers to evaluate that your data is adequately protected and that you have appropriate legal recourse in the event of a data security incident.
Continue Reading Understanding and Managing Cybersecurity Risks Posed by Third Parties

As noted in Phillips Lytle’s recent Data Security & Privacy Client Alert, the new General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. GDPR is a regulation that imposes requirements on businesses to protect the personal data of European citizens. The regulation employs a very broad definition of what constitutes personal

On Monday, Superintendent Maria T. Vullo of the New York State Department of Financial Services (“DFS”) issued a reminder about the upcoming certification deadline under the DFS’s landmark Cybersecurity Regulation (“Regulation”). Superintendent Vullo stated that “[t]he DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities.” Accordingly, by February 15, 2018, all Covered Entities under the Regulation must file the first compliance certification with DFS. The compliance certification is a statement to the Superintendent that demonstrates compliance with the Regulation during the preceding calendar year.
Continue Reading New York Department of Financial Services Publishes a Reminder about the Upcoming February 15, 2018 Compliance Certification Filing Deadline for Its Cybersecurity Regulation

As noted in Phillips Lytle’s most recent Data Security & Privacy Client Alert, there are only a few short weeks until the first certification deadline under the New York State Department of Financial Services Cybersecurity Regulation (“Regulation”). Pursuant to the Regulation, those who are operating or required to operate under New York banking, insurance and finance laws must submit their first certification of compliance with the Regulation by February 15, 2018.
Continue Reading NYSDFS Cybersecurity Regulation: Certification of Compliance Required by February 15, 2018