The SEC’s recent enforcement action and settlement with Altaba (formerly known as Yahoo) over the company’s major data breach provides a suggested roadmap for how companies may want to proactively approach data breach issues. Some major takeaways are: (1) companies should have effective controls in place to assess disclosure obligations; (2) known cyberattacks should, when appropriate, be included in disclosures in public filings; and
(3) if known cyberattacks have a material impact on the business, it requires disclosure.
Continue Reading

Both large and small companies can be overwhelmed by the volume of records that they create both in paper and electronic formats. What does your company do with this mountain of paper and electronic records? How long should your company retain and archive such records when considering the myriad of complex federal record retention requirements, state-specific record retention requirements and other government agency standards? A blanket indefinite retention and storage policy related to all of your company’s paper and electronic records is impractical, costly and not the answer!
Continue Reading

Understanding and Managing Cybersecurity Risks Posed by Third Parties

Data security laws and regulations increasingly require businesses and organizations to perform sufficient oversight of their third-party vendor’s data security protocols. The interconnectedness of businesses and organizations in today’s marketplace means that it is critical to assess your contracts with third-party vendors and service providers to evaluate that your data is adequately protected and that you have appropriate legal recourse in the event of a data security incident.
Continue Reading

In November 2017, New York Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) to the New York State legislature. The bill, sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh, seeks to amend current laws to broaden the definition of protected information and what are reportable data security incidents. As of November 27, 2017, the bill is under review by the Senate Rules Committee.

Under current cybersecurity breach notification laws in New York, the Attorney General’s office reports that it received nearly 1,300 reported data breaches in 2016, a 60 percent increase from the number of breaches reported in the previous year. According to an analysis performed by the Attorney General’s office, much of the information exposed by the reported data breaches consists of New York residents’ Social Security numbers and financial account information.
Continue Reading