South Dakota is the latest state to add notice requirements for data breaches, mandating notice within 60 days of the breach. Like many others before it, South Dakota armed the mandate with steep monetary penalties of up to $10,000 per day, per violation.

Alabama — the sole remaining U.S. state without a data breach law — ushered a data breach bill through the state legislature earlier this week. If Governor Kay Ivey signs the bill into law, all 50 states will have data breach legislation on the books.

The Department of Financial Services (“DFS” or “Department”) has issued notices to entities and licensees that it believes have failed to file a Certification of Compliance (“Certification”) pursuant to the Department’s Cybersecurity Regulation (“Regulation”). The Regulation required all DFS-regulated entities and licensed persons to submit a Certification by February 15, 2018 to verify compliance with the portions of the Regulation that were in effect at the end of 2017.

For an overview of the Regulation and its key compliance dates, please refer to the full DFS Regulation Client Alert.

For additional information regarding the DFS Regulation notices, please see our most recent Client Alert.

For additional questions about the recently issued Cybersecurity Regulation notices, please contact Jennifer A. Beckage at (716) 847-7093,, or any member of the firm’s Data Security & Privacy Practice Team.

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued updated guidance to assist public companies with disclosure obligations under the federal securities laws relating to cybersecurity risks and incidents (“Guidance”). In addition to expanding upon the SEC’s prior guidance on cybersecurity, which focused on the disclosure of cybersecurity risks and incidents, the Guidance addresses two new issues – the implementation of cybersecurity policies and procedures and the examination of insider trading prohibitions in the wake of cybersecurity incidents. For additional information regarding the SEC’s new Guidance, please refer to the full Data Security & Privacy Client Alert. For a chronology summary of upcoming key dates and corresponding obligations under the Regulation, please see our most recent Data Security & Privacy Client Alert.

Understanding and Managing Cybersecurity Risks Posed by Third Parties

Data security laws and regulations increasingly require businesses and organizations to perform sufficient oversight of their third-party vendor’s data security protocols. The interconnectedness of businesses and organizations in today’s marketplace means that it is critical to assess your contracts with third-party vendors and service providers to evaluate that your data is adequately protected and that you have appropriate legal recourse in the event of a data security incident. Continue Reading Understanding and Managing Cybersecurity Risks Posed by Third Parties

As noted in Phillips Lytle’s recent Data Security & Privacy Client Alert, the new General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. GDPR is a regulation that imposes requirements on businesses to protect the personal data of European citizens. The regulation employs a very broad definition of what constitutes personal identification information and contains directives for handling data, as well as reporting breaches. For additional information regarding the obligations under the new regulation, please refer to the full GDPR Client Alert.

On Monday, Superintendent Maria T. Vullo of the New York State Department of Financial Services (“DFS”) issued a reminder about the upcoming certification deadline under the DFS’s landmark Cybersecurity Regulation (“Regulation”). Superintendent Vullo stated that “[t]he DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities.” Accordingly, by February 15, 2018, all Covered Entities under the Regulation must file the first compliance certification with DFS. The compliance certification is a statement to the Superintendent that demonstrates compliance with the Regulation during the preceding calendar year. Continue Reading New York Department of Financial Services Publishes a Reminder about the Upcoming February 15, 2018 Compliance Certification Filing Deadline for Its Cybersecurity Regulation

As noted in Phillips Lytle’s most recent Data Security & Privacy Client Alert, there are only a few short weeks until the first certification deadline under the New York State Department of Financial Services Cybersecurity Regulation (“Regulation”). Pursuant to the Regulation, those who are operating or required to operate under New York banking, insurance and finance laws must submit their first certification of compliance with the Regulation by February 15, 2018. Continue Reading NYSDFS Cybersecurity Regulation: Certification of Compliance Required by February 15, 2018

On December 3, 2017, the National Association of Insurance Commissioners (“NAIC”) Cybersecurity (EX) Working Group met and noted that the U.S. Department of the Treasury has recommended that states nationwide work to implement NAIC’s recently adopted Insurance Data Security Model Law (“Model Law”). The full text of the Model Law is available at and can be found here. The Model Law sets standards and best practices for insurers to follow as they safeguard consumers’ data, and it closely follows the New York State Department of Financial Services (“NYDFS”) Cybersecurity Regulation, 23 NYCRR 500, which was adopted earlier this year and applies to those regulated or licensed under New York insurance, banking or finance laws. In short, those in the insurance industry need to take action to develop cybersecurity programs and procedures. Continue Reading Cybersecurity Pressures within the Insurance Industry

In November 2017, New York Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) to the New York State legislature. The bill, sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh, seeks to amend current laws to broaden the definition of protected information and what are reportable data security incidents. As of November 27, 2017, the bill is under review by the Senate Rules Committee.

Under current cybersecurity breach notification laws in New York, the Attorney General’s office reports that it received nearly 1,300 reported data breaches in 2016, a 60 percent increase from the number of breaches reported in the previous year. According to an analysis performed by the Attorney General’s office, much of the information exposed by the reported data breaches consists of New York residents’ Social Security numbers and financial account information. Continue Reading New York Seeks to Strengthen State Cybersecurity Laws through the Stop Hacks and Improve Electronic Data Security Act