New York Department of Financial Services (NYDFS)

On November 9, 2022, New York Department of Financial Services (NYDFS) Superintendent Adrienne Harris announced that the NYDFS formally proposed an updated cybersecurity regulation.  Although the updates had previously been released in draft form, the formal announcement commences the 60-day comment period. 

The proposed regulations would create three different tiers of companies based on

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware

Delaware (July 31, 2019) and New Hampshire (August 2, 2019) have become the latest states to add to the insurance cybersecurity landscape by enacting information security laws.  These laws come on the heels of Connecticut’s law enacted a few days earlierNotably, while Connecticut followed the New York Department of Financial Services’ 2017 Cybersecurity

On July 26, 2019, Connecticut Governor Ned Lamont signed into the law the state’s new Insurance Data Security Law, which imposes new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department (“CID”).  In doing so, Connecticut joins New York, South Carolina, Ohio, Michigan, and Mississippi

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.
Continue Reading  NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

2017 brought a new trend in cybersecurity law – state agency rulemaking independent of legislative action. To be sure, Massachusetts has long had cybersecurity regulations on the books, but those regulations were enacted based on a legislative mandate. What occurred in 2017 is different because individual state agencies in New York, Colorado, and Vermont took it upon themselves to promulgate regulations directed at filling a perceived need to ensure that regulated entities were taking proper steps to protect confidential information. That action – and the expectation that we will see more in 2018 – has added another level of complexity to the web of state and federal laws that govern this area. In fact, in another sign that we can expect even more action in this area, at the end of 2017, the National Association of Insurance Commissioners issued a 13 page model data security law.
Continue Reading  State Cybersecurity Regulations: A Look Back at 2017