Cybersecurity

Subscribe to Cybersecurity via RSS

State financial regulators in Colorado and Vermont recently adopted cybersecurity rules that apply to broker-dealers and investment advisers regulated by those states as well as certain other “securities professionals” in Vermont.

The broad definition of “securities professional” in Vermont’s regulation (“any person providing investment-related services in Vermont”) could include entities that do not generally consider themselves to be regulated by Vermont’s financial regulator.

Colorado’s and Vermont’s cybersecurity rules require covered entities to implement certain practices including: authentication practices for employee access (which could include multi-factor or two-factor authentication), procedures for authenticating client instructions received via electronic communication, and an annual cybersecurity risk assessment. Notably, Vermont’s regulation also requires that covered entities maintain cybersecurity insurance and provide identity restoration services in the event of a breach.

China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance.  However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally.  This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.

In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of

As we previously reported, in December 2016 the New York Department of Financial Services (the “DFS”) announced that it was revising its proposed regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Original Proposal”).

On December 28, 2016, the DFS released a revised version of the Original Proposal (the “Revised Proposal”) that incorporates greater flexibility with respect to requirements as well as delayed compliance deadlines. The Revised Proposal is subject to a final thirty-day comment period.

As we previously reported, in September 2016 the New York Department of Financial Services (the “DFS”) proposed a regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Proposal”). The comment period for the Proposal closed in mid-November.

In late December, a DFS spokesman said that a revised Proposal will be filed with the state register on December 28, 2016 (followed by a new thirty-day comment period) and that the revised Proposal will come into effect on March 1, 2017 (two months later than the Proposal’s previous effective date of January 1, 2017).

On December 2, 2016, the Federal Communications Commission (“FCC”) published its Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Order”) as a final rule in the Federal Register, adopting rules applicable to Internet service providers (“ISPs”) intended to protect the privacy of broadband consumers. Despite the publication of the rules in the Federal Register, uncertainty remains regarding when ISPs must be in compliance with some of these newly established privacy obligations. Although the rules are effective January 3, 2017, the FCC has made exceptions to the January 3, 2017 effective date for provisions which have not yet been approved by the Office of Management and Budget (“OMB”).[1] This includes many of the operative provisions of the new rules regarding ISPs’ data collection and use. Once such provisions are approved by the OMB, notice will be published in the Federal Register announcing their approval and corresponding effective dates.

Despite the uncertainty regarding the effective dates of many sections, the publication of the Order puts ISPs on notice of the new rules, and ISPs should begin revising their practices so that they are able to meet the earliest possible effective dates. Here is what ISPs need to know regarding compliance with the new rules:

On September 13, 2016, New York Governor Andrew Cuomo announced that the New York Department of Financial Services (the “DFS”) proposed a regulation that would require banks, insurance companies, and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program (the “Proposal”). If the Proposal