InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing cyberattacks against Ukraine, which could spill over to other networks, as well as potential direct attacks against U.S. critical infrastructure.
Updated cybersecurity regulation guidance
NYDFS suggested that regulated entities with programs pursuant to its cybersecurity regulation (23 NYCRR 500) have the potential to mitigate increased cyber threats and should take the following steps:
- Review cybersecurity programs for compliance, with particular attention to certain safeguards and core cybersecurity hygiene measures, including access control, vulnerability management, and privileged access review
- Review, update, and test incident-response and business-continuity plans and ensure they address ransomware events
- Review and implement practices pursuant to the June 2021 Ransomware Guidance
- Re-evaluate plans to maintain essential services and protect critical data in the event of an extended outage or service disruption
- Conduct a full test of backup and recovery abilities
- Provide additional cybersecurity awareness training and reminders for all employees
NYDFS also advised that regulated entities should keep track of known threat actors and take extra precautions when doing business in Russia and Ukraine, including segregating Russian and Ukrainian networks. Regulated entities must report cybersecurity events that meet the criteria of 23 NYCRR 500.17(a) as promptly as possible and within 72 hours, and should also report cybersecurity events immediately to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency.
Guidance in response to recent sanctions
In the last week, the Biden administration imposed significant new sanctions targeting Russian assets, the Russian financial market, and Russian business dealings in response to Russia’s invasion of Ukraine. (See InfoBytes coverage here.) NYDFS reiterated that regulated entities should fully comply with U.S. sanctions on Russia, as well as Part 504 of its regulations regarding transaction monitoring and filtering. In order to comply with the new sanctions, NYDFS recommended that regulated entities take the following steps immediately:
- Monitor all communications from NYDFS, the U.S. Department of the Treasury, the Office of Foreign Assets Control (OFAC), and other federal agencies on a real-time basis to keep tabs on the latest developments
- Modify transaction monitoring and filtering programs as necessary to capture new sanctions as they are proposed
- Monitor all transactions, particularly trade finance transactions and funds transfers, and identify and interdict transactions prohibited by U.S. sanctions.
- Update OFAC compliance policies and procedures on a continuous basis to incorporate the recent sanctions and any new sanctions that may be imposed.
Updated virtual currency regulation guidance
NYDFS also cautioned that sanctioned entities may attempt to use virtual currency to evade sanctions. It said regulated entities must ensure they have “tailored policies, procedures, and processes to protect against the unique risks that virtual currency present” and are complying with the relevant state and federal laws, including the OFAC Sanctions Compliance Guidance for the Virtual Currency Industry and New York virtual currency regulation (23 NYCRR 200). Additionally, regulated entities should monitor the effectiveness of virtual currency-specific control measures, including sanctions lists, geographic screening, geolocation tools/IP address identification and blocking capabilities, and transaction monitoring and investigative tools, including blockchain analytics tools.
Buckley will continue to monitor the ongoing situation in Ukraine and provide updates in conjunction with significant developments.
If you have any questions regarding the NYDFS guidance or the recent Ukraine-related sanctions against Russia, please visit our Privacy, Cyber Risk & Data Security or Bank Secrecy Act/Anti-Money Laundering & Sanctions practice pages, or contact a Buckley attorney with whom you have worked in the past.
District Court approves $15 million class action settlement over BIPA violations
On February 18, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a workplace management software company (defendant) violated the Illinois Biometric Information Privacy Act (BIPA) by collecting data without providing the requisite disclosures or obtaining informed written consent. According to the plaintiff’s motion for preliminary approval, the settlement class is comprised of nearly 172,000 Illinois employees who used the defendant’s biometric timekeeping devices at work and whose finger-scan data “was hosted” by the defendant. The defendant denied any violation of BIPA. Under the settlement agreement, the defendant will pay approximately $15 million into a non-reversionary settlement fund, and settlement class members, who need to file a valid claim to receive payment, are expected to receive between $290 and $580 each.
District Court: California privacy laws do not absolve discovery obligations in federal litigation
Last month, the U.S. District Court for the Central District of California granted plaintiffs’ motion to compel defendants’ responses to a request for production of documents after determining that defendants may not rely on the California Consumer Protection Act (CCPA) or other state laws to avoid discovery obligations in federal litigation. In 2020, the plaintiffs brought numerous claims, including violations of the Computer Fraud and Abuse Act and several related state law claims, alleging the defendants took the plaintiffs’ client database, marketing software, and computer to start their own business. After being served with a request for production of documents, the defendants asserted that producing the information would violate various California privacy laws, including the CCPA, the California Information Privacy Act, the California Privacy Rights Act, and Article 1, Section 1 of the California Constitution. The plaintiffs countered that the defendants’ objection should be overruled, as they had failed to establish “that there exists a reasonable right of privacy to the information sought to be disclosed,” arguing, among other things, that the defendants’ privacy concern “is undermined by their failure to enter into, or otherwise seek, a protective order.”
The court agreed with the plaintiffs, concluding that the defendants’ privacy objection is without merit. According to the court, the California privacy rights asserted by the defendants were not applicable in this discovery proceeding because “even to the extent the California constitution and these California statutes create a privilege—which this Court does not decide here—only federal law on privilege applies in cases, such as this one, involving federal question jurisdiction.” Although the court noted that a federal law counterpart to California’s privacy laws does not exist, it affirmed that “federal courts recognize a right of privacy implicit in Rule 26.” Nevertheless, the court stated that, “to the extent such a privacy interest exists, ‘corporations have a lesser right to privacy than human beings and are not entitled to claim a right to privacy in terms of a fundamental right, [although] some right to privacy exists.” Moreover, “[c]ourts routinely have found that a corporation’s privacy rights may give way where the information requested is material, not available from another source, and protected from disclosure by a protective order.” The court ultimately found that “a proper balancing of the competing interests weighs in favor of granting” the plaintiff’s discovery requests, adding that the defendants did not offer or suggest any alternative means by which the plaintiff could obtain the information and that a protective order would mitigate any risk of harm.
New York to coordinate state cybersecurity efforts
On February 22, New York Governor Kathy Hochul announced the creation of the Joint Security Operations Center (JSOC) to coordinate state efforts to anticipate potential cybersecurity threats and respond to security incidents. Calling the center the “first-of-its-kind” in the U.S., Houchel stated that JSOC “will serve as the nerve center for joint local, state and federal cyber efforts, including data collection, response efforts and information sharing,” and will strengthen the state’s ability to protect New York institutions, infrastructure, citizens, and public safety by bringing together security teams from city and regional governments, critical businesses and utilities, and state agencies. JSOC will also host cyber trainings and exercises in the upcoming months and “will help participating entities respond to potential issues and elevate systemic trends that may have otherwise gone undetected.”
NIST to update cybersecurity framework with a focus on supply chain risk
On February 22, the National Institute of Standards and Technology (NIST) published a notice and request for information (RFI) in the Federal Register seeking information to assist in the evaluation and improvement of the agency’s “Framework for Improving Critical Infrastructure Cybersecurity,” as well as other existing and potentials standards related to supply chain cybersecurity. NIST stated it is considering updating the framework (last updated in 2018) to account for the changing landscape of cybersecurity risks, technologies, and resources, and noted that it recently announced it intends to launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in this space. Responses to the RFI will help to inform the direction of the NIICS, including how it may be integrated and aligned with the framework. NIST explained that the framework outlines standards and guidance for private and public sector companies on how to prevent and respond to cyber threats. Acknowledging that much has changed in the cybersecurity landscape since the framework was last updated, including an increased awareness and emphasis on supply chain cybersecurity risks, the RFI seeks information that will support the identification and prioritization of supply chain-related cybersecurity needs across sectors. Among other things, NIST is interested in: the usefulness of the framework for managing risks; the relationship of the framework to other NIST risk management resources; and how companies manage security risks to their software supply chains and whether this area of increasing concern should be incorporated into the framework or whether a new, separate framework focusing on cybersecurity supply chain risk management might be more valuable. Comments are due April 25.
District Court approves settlement in data breach suit
On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to establish adequate security measures to protect their customers’ and employees’ data. According to the preliminarily approval order, a third party gained unauthorized access to the defendant’s server which stored the plaintiffs’ sensitive personal identifying information. The order noted that the security incident put the plaintiffs “at a high risk of identity theft and other cybercrimes.” The plaintiffs alleged in the complaint that the defendants violated California's Unfair Competition Law, the California Consumer Privacy Act, and the FTC Act, among other things, by failing “to adequately ensure the privacy, confidentiality, and security of employee data entrusted to it and Defendant’s failure to have adequate data security measures in place.” Under the terms of the order, the defendants are required to establish a $2.6 million settlement fund to provide monetary settlement benefits to class members within forty-five days of a preliminary approval order directing class notice. The plaintiff class will be separated into two separate tiers: a nationwide class consisting of individuals residing in the U.S. who were or may have been impacted in the data breach, and a California subclass, consisting of individuals who resided in California on July 18, 2020, who were or may have been impacted in the data breach. The order also granted $650,000 in class counsel fees and approximately $50,000 in costs and expenses. Each lead plaintiff received $1,500 as part of the settlement.
District Court approves $14.8 million cloud subscription settlement
On August 4, the U.S. District Court for the Northern District of California approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the company breached its agreement with customers by hosting user data on third-party servers without providing proper notice, which resulted in overcharges. The plaintiffs alleged that the “selection of a cloud storage provider is a significant and material consideration as it involves entrusting all of a user’s stored data—including sensitive information like photographs, documents of all kinds, and e-mail content—to be stored by the cloud storage provider,” and that “users have an interest in who is offering this storage and taking custody of their data.” Plaintiffs claimed that, while the company assured users that it was the provider of the purchased cloud storage service, it was actually reselling cloud storage space on other third parties’ cloud facilities and charging users a “premium” for believing their data was being stored by the company. Approximately 16.9 million class members will receive individual settlement payments based on the overall payments made by each user for his or her cloud subscription during the class period. In granting final approval of the settlement, the court noted that the deal is fair, reasonable, and adequate.
California Privacy Protection Agency plans to finish rulemaking by Q4 of 2022
On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking in the third or fourth quarter of 2022. As previously covered by InfoBytes, last September, the CPPA formally called on stakeholders to provide preliminary comments on proposed CPRA rulemaking. The Act (effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 (covered by InfoBytes here) and amended the existing California Consumer Privacy Act. The invitation for comments highlighted several areas of interest for the CPPA, including topics concerning cybersecurity audits and risk assessments, automated decision-making, consumer privacy rights and requests to know, sensitive personal information, and dark patterns. While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the meeting that the rulemaking process will extend into the second half of the year. Soltani noted that preliminary and informational proceedings will take place sometime this March and April, and will include instructive sessions with various subject matter experts and public sessions to obtain stakeholder input, and will take into account responses from the comment solicitation period that ended November 8, 2021. Following these proceedings, the Board will begin the formal rulemaking process during the second and third quarters, with final rules being finished by the end of the year. Soltani acknowledged that while the Board is behind schedule with respect to the July deadline, the CPPA expects to use the extra time to fill open positions at the agency.
Consulting firm agrees to $4.95 million settlement to resolve class data breach claims
On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment agencies in Illinois, Colorado, and Ohio. According to the class’s supplemental brief in support of their motion for final approval, the allegedly poorly designed websites were subject to a data breach that resulted in unauthorized access to unemployment seekers’ personally identifiable information. The parties agreed to a nationwide settlement class of 237,675 individuals in Illinois, Colorado, and Ohio. These individuals were notified by their state employment agencies that certain personal information submitted when applying for pandemic-related unemployment claims may have been inadvertently exposed in a data breach. Under the terms of the settlement, the defendant agreed to establish a $4.95 million settlement fund to compensate eligible claimants, and will pay more than $1.6 million in attorneys’ fees and costs, as well as class member service awards.
Texas AG issues CID to video streaming company
On February 18, the Texas attorney general issued two Civil Investigative Demands (CIDs) to a video streaming company that focus on the company’s potential facilitation of human trafficking and child privacy violations, as well as other potential unlawful conduct. According to the CIDs, the company allegedly violated section 140A.002, Civil Racketeering Related to Trafficking of Persons, of the Texas Civil Practice and Remedies Code. The CID orders to company to: (i) provide answers and documents in response to the CID; (ii) preserve documents and/or other data which relate to the subject matter or requests of the CID; and (iii) consult the AG prior to processing or making copies of hard-copy documents or electronically stored information in response the CID.