Cybersecurity

PODCAST: The Hon. Gary Stein on Justice for Sale, his Biography of Martin T. Manton

tlconlineeditor

Few lawyers know who Martin Manton was.  Even fewer, if any, law students learn about Manton while in school.  That may change with the Hon. Gary Stein’s recent biography of Manton, Justice for Sale: Graft, Greed, and a Crooked Federal Judge in 1930s Gotham.  (See Justice for Sale: Graft, Greed, and a Crooked Federal Judge in 1930s Gotham: Stein, Gary: 9781493072569: Amazon.com: Books)

Judge Stein tells the history of Judge Manton’s rapid rise – President Woodrow Wilson appointed Manton, then 36-years old, to the federal district court in 1916, then elevated him to the United States Court of Appeals for the Second Circuit two years later.  As a judge, Manton continued to be involved in a number of businesses, including real estate ventures on which he had given mortgages.  During the Great Depression of the 1930s, Manton desperately needed money and turned to selling his office, repeatedly soliciting payments from lawyers and litigants arguing cases before him.  Judge Stein calculates that Manton received improper payments of about $823,000 – about $17 million today.  Ultimately, in 1939, Manton was publicly exposed.  This led to his resignation, prosecution, conviction, and imprisonment.        
As Judge Stein discusses with Associate Dean Rodger Citron, the story of Manton’s corrupt conduct on the bench is an extraordinary tale.  Manton was friends with President Franklin Delano Roosevelt, served on the Second Circuit with, among others, the Hon. Learned Hand, and nearly was appointed to the United States Supreme Court in the 1920s.  This may seem like ancient history, but Judge Stein’s book reminds us that judges – even federal judges – are human, subject to the same flaws and foibles as the rest of us.  That is a timely lesson that is still instructive today.

Brought to you by the Touro Law Review.   

Our guest today is Magistrate Judge Gary Stein.

Continue reading

PODCAST: A Discussion with Nicole E. Osborne on Data Breaches and her Role as a Cybersecurity Attorney

tlconlineeditor

Cybercrime has become a topic of discussion in the last few years. In this week’s Touro Law Review podcast moderated by Associate Dean Michelle Zakarin, Nicole E. Osborne joins us. Nicole is an Associate at the Law Firm of Ruskin Moscou Faltischek, P.C. and is a member of the firm’s Cybersecurity and Data Privacy Practice Group. Nicole gives advice to students who are interested in this practice area. She noted that there are a lot of traditional practice areas that lend themselves perfectly to a career in cybersecurity, such as health care law. 

The law of cybersecurity, Nicole states, is unpredictable; everyday is different as it is an interdisciplinary area of law. She then dives into the specifics of data breaches– something Nicole deals with frequently and is very passionate about. She follows by discussing the importance of addressing these issues quickly and the different laws and regulations of each state, as well as federal legislation that might come into play. As the conversation continues, Nicole discuses, threat actors, ransomware, and “double extortion.” Nicole also discusses the documents typically stolen by threat actors and ways to avoid breaches. Notably, she provides generally applicable tips and recommendations for all businesses because threat actors target small businesses just as much as large companies. 


As a parting note, Nicole reminds us that this area is evolving rapidly and that it is very important to stay on top of these laws, even if it seems difficult. 

 

Brought to you by the Touro Law Review.   

Our guest today is Nicole E. Osborne, Esq.

Continue reading

PODCAST: Cyber Searches, Plain View, and Officer Inadvertence – with Michelle Zakarin

TLR BLOG

As the age of technology has taken this country by surprise, many courts are forced to adapt by applying pre-technology rules to new technological scenarios. One illustration is the plain view exception to the Fourth Amendment. Recently, the issue of officer inadvertence at the time of the search, a rule that the United States Supreme Court has specifically stated is not required in plain view inquiries, has been revisited in cyberlaw cases. It could be said that the courts interested in the existence of officer inadvertence, despite its lack of necessity, are properly doing so as a means of analysis for cyber cases to more suitably adjust to the searches of computers and related technology. The Tenth Circuit has knowingly disregarded Supreme Court precedent, and this continues its disagreement with the Fourth Circuit and perpetuates a circuit split that should be resolved by the Supreme Court.

Brought to you by the Touro Law Review

Our guest this episode is Professor Michelle Zakarin.

Continue reading

23 NYCRR 500: The New Standard for Cybersecurity

TLR BLOG

By Denisse Stephanie Mira, J.D. Class of 2017 Co-Editor-in-Chief, Journal of Race, Gender, and Ethnicity

On September 13, 2016, New York Governor Andrew Cuomo proposed the first of its kind cybersecurity regulation, 23 NYCRR 500 (the “Regulation”).[1] This Regulation applies to banks, insurers, and financial services regulated by the New York Department of Financial Services (the “DFS”).[2] It was slated to become effective January 1, 2017, but due to public comments concerning small businesses, it was revised and became effective as of March 1, 2017.[3] There is a 180-day grace period for companies to comply with the requirements unless otherwise specified.[4] Under the Regulation, an additional requirement to provide a Certification of Compliance to the DFS will commence on February 15, 2018.[5]

This Regulation has been in the works since 2014, following a series of high-profile data breaches with companies such as Target Corp. and The Home Depot, Inc.[6] The breaches at those companies lead to millions of dollars in losses.[7] Governor Cuomo stated, “[t]hese strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”[8] The Regulation is the first of its kind in the nation because it provides actual rules instead of guidelines. It distinguishes itself from other cyber security regulations like the Gramm-Leach-Bliley Act’s (“GLBA”) privacy rule, which only offers recommendations.[9] If the Regulation’s rules are not followed, the DFS is ominous and broad in how it can seek enforcement and compliance.[10]

In formulating the new regulation, the DFS utilized the information it obtained from polling about 200 regulated banking institutions and insurance companies.[11] The DFS also surveyed a cross-section of those polled and cybersecurity experts, to discuss emerging trends and risks, due diligence processes, and policies and procedures governing relationships with third party service providers.[12]

Who and What 23 NYCRR 500 Covers

The Regulation defines a “Covered Entity” as “any [p]erson operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.”[13] Recognizing that certain smaller entities may have difficulty reaching the minimum standard set by the DFS, the Regulation exempts them from some, but not all, of the requirements.[14] The Regulation also directly affects the third-party service providers of those “Covered Entities.” The third-party service providers must comply with the Regulation even if they may not be directly doing business in New York.[15]

The goal of the Regulation is to secure “Nonpublic Information”[16] from abuse, interference and unauthorized access.[17] It includes numerous categories of information that a “Covered Entity” receives either from consumers or about consumers, including information that is considered nonpublic personal information under the GLBA Privacy Rule.[18] Accordingly, the Regulation’s definition of nonpublic information is far broader than what New York’s pre-existing data protection law defines as “personal information.”[19]

Key Points of the Cybersecurity Program for Covered Entities

“Covered Entities” must:

  • Implement a cybersecurity program with written policies and an audit trail.
  • Implement procedures for assessing and testing the security of all internal and external developed applications.
  • Assess risk to non-public information and information systems accessible or held by third-party service providers.
  • Conduct third-party security assessments at minimum annually.
  • Require and provide that all personnel attend regular cybersecurity awareness training.
  • Create and implement controls to protect non-public information.
  • Establish an incident response plan for possible and actual data breaches.
  • The incident response plan must include the identification and precise roles and responsibilities of the individuals who will carry out the actions the response plan specifies.
  • Employ a Chief Information Security Officer (“CISO”) and dedicated cybersecurity personnel.
  • The CISO and cybersecurity personnel can be internal or a third-party service provider.
  • Identify cyber risks and conduct penetration testing at least annually and vulnerability assessment at least quarterly. [20]

Limiting Access to Information and Systems

Under the Regulation, “Covered Entities” will be required to encrypt their “Nonpublic Information” in transit by January, 2018 and their Nonpublic Information at rest by January, 2022.[21]

“Covered Entities” must also require multifactor authentication for remote access to its systems or for privileged access to the servers that contain “Nonpublic Information”.[22] Due to the extent that the Regulation seeks to control “Nonpublic Information,” implementation of those security measures may be expensive. The expense depends on how many platforms the information may be shared on, since each would need to meet the requirements of the Regulation, and any party that has access would need to be trained accordingly to remain compliant.[23]

The Regulation makes “Covered Entities” responsible for the cybersecurity practices of the third parties who hold or can access “Nonpublic Information.”[24] The third parties’ policies and procedures are to be assessed by the “Covered Entity” for any risks that come from using those third parties.[25]

This will be a challenge for the “Covered Entities” as it likely will not have full and direct access to examine or control the cybersecurity program the third party adopts.

Reporting

Notice of a “Cybersecurity Event” must be sent from the “Covered Entity” to the “Superintendent” within seventy-two hours of its occurrence.[26] The Regulation defines a “Cybersecurity Event” as any attempt or attack “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information . . .”[27]

This provision creates more of a problem than a solution. A “Covered Entity” may have to report a data breach or attempted breach to the “Superintendent” before the “Covered Entity” has an opportunity to fully assess the nature and extent of the incident. If an entity were allotted more time to address the breach, it would be better equipped to accurately communicate the scope of the event and detail the event’s nature and likely consequences with more precision. Thus, the data collected from the reporting would be more accurate for the DFS’s recordkeeping. These records are what the DFS will use to enforce the Regulation and protect the data that is exchanged.[28]

Recordkeeping

“Covered Entities” are subject to extensive recordkeeping requirements under the “audit trails.”[29] They must use the information from the “audit trails” to detect any attempted and actual attacks.[30] Such “audit trail” records must be maintained for three to six years depending on the type of data that is collected.[31]

Annual Certification

By February 15, 2018, “Covered Entities” must certify in writing to the Superintendent that they are in full compliance with the Regulation.[32] The record of certification must be maintained for at least five years and made available to the Superintendent upon request.[33]

It should be noted that the backup materials need only be maintained for five years and the audit trail materials must be maintained for three to six years, which suggests that the Superintendent may also use the audit trail as a source of information to search for additional violations.[34]

Individuals who sign the certification may be exposed to personal liability if the “Covered Entity” is ultimately found to be noncompliant.[35] The Superintendent may enforce the Regulation pursuant to her “authority under any applicable laws.”[36]

Conclusion

New York State is taking the lead in establishing these minimum standards for cybersecurity programs, but it is the “Covered Entities” and their third-party service providers that bear the expensive and tedious burden of meeting and keeping to the new standards imposed by the Regulation.

“Covered Entities” must start assessing cybersecurity risks, policies, and procedures to develop or enhance their cybersecurity program and to begin documenting and tracking their compliance efforts so that they can become compliant by August 28, 2017. [37]

Considering the ominous and broad repercussions under Section 500.20 for non-compliance, compliance attorneys and cyber-security firms will be in high demand.

[1]Press Release, Dep’t of Fin. Services, Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions (Sept. 13, 2016) [hereinafter Press Release].

[2] Id.

[3] Id.

[4] Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500), N.Y. Dep’t of Fin. Services, http://dfs.ny.gov/about/cybersecurity.htm (last visited Apr. 12, 2017).

[5] Id.

[6]Karen Freifeld & Jim Finkle, New York State Cyber Security Regulation to Take Effect March 1, Thomson Reuter (Feb. 16, 2017 4:14 PM), http://www.reuters.com/article/cyber-new-york-idUSL1N1G11F2.

[7] Id.

[8] Press Release, supra note 1.

[9] Gretchen A. Ramos & Larry P. Schiffer, New York Revamps Proposed Cybersecurity Regulation for Financial Services and Insurance Entities, Nat’l Law Rev. (Apr. 11, 2017), http://www.natlawreview.com/article/new-york-revamps-proposed-cybersecurity-regulation-financial-services-and-insurance.

[10] “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.20 (2017).

[11] Press Release, supra note 1.

[12] Press Release, supra note 1.

[13] 23 NYCRR § 500.01(c).

[14] Id. at § 500.19.

[15] Id. at § 500.03(l).

[16] Id. at § 500.01(g).

[17] Id. at § 500.01(g)(1).

[18] See 15 U.S.C. §§ 6801-09 (2011) (showing the categories of information that a “Covered Entity” receives).

[19] Compare 23 NYCRR § 500.01(g)(2), with NY. Pub. Off. Law § 92(7) (McKinney 2011).

[20] See generally 23 NYCRR § 500.

[21] Frequently Asked Questions Regarding 23 NYCRR PART 500, N.Y. Dep’t of Fin. Services (Mar. 13, 2017), http://www.dfs.ny.gov/about/cybersecurity_faqs.htm [hereinafter FAQ].

[22] 23 NYCRR § 500.11(b)(1).

[23] Id. at § 500.14.

[24] Id. at § 500.11.

[25] Id. at § 500.11(a).

[26] Id. at § 500.17.

[27] 23 NYCRR § 500.01(d).

[28] Id. at § 500.06.

[29] Id. at § 500.06.

[30] Id. at § 500.06.

[31] Id. at § 500.06(b).

[32] FAQ, supra note 21.

[33] 23 NYCRR §500.17 (b).

[34] Id. at § 500.02.

[35] “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. 23 NYCRR § 500.20; see, e.g., N.Y. Bank Law § 672 (West through L.2017, chs. 1-23).

[36] 23 NYCRR § 500.20.

[37] FAQ, supra note 21.