On October 16, the New York State Department of Financial Services (NY DFS) issued an industry letter to entities regulated by NY DFS (covered entities) providing guidance addressing the cybersecurity risks associated with the use of artificial intelligence (AI). The guidance purportedly aims to assist covered entities in understanding and assessing cybersecurity risks associated with threats arising from the use of AI by cybercriminals and the controls that may be used to mitigate those risks. The NY DFS emphasizes that this new guidance does not impose any new requirements on covered entities, but rather it provides an outline for meeting existing compliance obligations under the NY DFS Cybersecurity Regulation, 23 NYCRR Part 500, in light of the advancements in AI technology.
James Koenig
Jim co-chairs the firm’s Privacy + Cyber Practice Group. For the past ten years, he has represented global clients in the financial services, energy, retail, pharmaceutical/health care, cable, telecommunications, car rental, airline, social media, technology, and manufacturing industries, including 35% of Fortune 100-listed companies.
California Privacy Protection Agency Announces Proposed Regulations for Data Broker Registration
On July 5, the California Privacy Protection Agency (CPPA) published a Notice of Proposed Rulemaking regarding Data Broker Registration pursuant to Senate Bill 362 (the Delete Act). The Delete Act requires the CPPA to establish an accessible deletion mechanism. This mechanism allows a consumer, through a single verifiable consumer request, to request that every data broker delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The stated aim of the proposed rulemaking is to clarify and enhance the registration process for data brokers.
FTC Amends Safeguards Rule to Require Reporting of Data Breaches
On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.
Introducing Our Incident Response Interactive Map
Companies dealing with a data incident confront an uneven landscape and requirements that can differ from state to state. It is easy to feel lost. Find your way with Troutman Pepper’s new Incident Response Interactive Map, created by our cybersecurity attorneys.
With a simple and intuitive user experience, our U.S. map provides state-by-state definitions, notification…
CCPA/CPRA Will Apply to Employee AND B2B Data — Five Steps to Prepare for the January 1, 2023 Effective Date
Exemption Extensions Failed. On August 31, California’s legislature ended its 2022 session without adopting legislation to extend the California Consumer Privacy Act (CCPA) employee and business-to-business (B2B) personal information exemptions. In the absence of a special legislative session, these exemptions will expire on January 1, 2023.
History of the Exemptions. Under the current exemptions, covered…
CFPB Turns Its Attention to Data Security – Seven Industry Practices You Need to Know Now
On August 11, the Consumer Financial Protection Bureau (CFPB) published a circular, answering the question “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?” with a resounding “yes.” Specifically, the CFPB pointed to three practices — inadequate authorization,…
New York Department of Financial Services Proposes Amendments to Its Cybersecurity Regulation
On July 29, New York State’s Department of Financial Services (NYDFS) released draft amendments (Draft Amendments) to its Part 500 Cybersecurity Regulation for financial service companies that, among others things: (1) contain significant changes regarding ransomware; (2) propose a new class comprising larger entities, which will be subject to increased obligations for their cybersecurity programs;…
Navigating the Critical Differences Between the CCPA and the CPRA
Thursday, May 26 • 12:00 – 1:00 p.m. ET
California was the first state to enact a comprehensive state privacy bill with the California Consumer Privacy Act of 2018 (CCPA). Although the CCPA went into effect on January 1, 2020, it was significantly overhauled during California’s November 2020 General Election, when the California Privacy Rights…
Connecticut Legislature Passes Comprehensive Privacy Legislation, Awaiting Governor’s Signature
On April 28, the Connecticut House passed Senate Bill 6, an act concerning personal data privacy and online monitoring (SB 6 or Connecticut Act). The Senate unanimously passed SB 6 on April 20, and is now currently under consideration by Governor Ned Lamont. If the bill becomes law, it will go into effect on…