New York Proposes Detailed Cybersecurity Regulation For Financial Institutions
On September 13, New York Governor Andrew Cuomo, announced a proposed regulation by the New York State Department of Financial Services requiring banks, insurance companies, and other financial institutions regulated by the Department to establish and maintain a cybersecurity program to protect consumers and ensure the safety and soundness of the New York financial services industry. The proposed regulation is highly prescriptive, requiring specific measures such as multi-factor authentication, encryption for data in transmission and at rest, and procedures for secure development or testing of applications. It also would require regulated institutions to notify the Department within 72 hours of a “cybersecurity event” that has a reasonable likelihood of materially affecting the entity’s normal operations or that affects non-public information.
Ninth Circuit Again Limits CDA Immunity On Failure-To-Warn Claim
Earlier this month, in Beckman v. Match.com, LLC, the U.S. Court of Appeals for the Ninth Circuit reversed the district court’s dismissal of a failure-to-warn negligence claim against the dating website Match.com, which matched the plaintiff with a man who assaulted her. In doing so, the Circuit found that the plaintiff’s claim was not barred by the immunity provision in Section 230 of the Communications Decency Act, which protects against claims that treat websites as the publishers or speakers of content provided by third parties. The decision follows the logic of the Ninth Circuit’s decision earlier this year in Doe No. 14 v. Internet Brands, on which we reported.
CFTC Approves Final Rules On Cybersecurity Testing
On September 8, the Commodity Futures Trading Commission approved two final rules to amend existing regulations relating to cybersecurity testing and system safeguard requirements for derivatives clearing organizations (DCOs), designated contract markets (DCMs), swap execution facilities (SEFs), and swap data repositories (SDRs). The rules require entities to conduct five types of cybersecurity testing, including (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessment. More information about the testing requirements can be found here.