Federal Regulation - U.S.

Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks

By Avi Gesser, Eric McLaughlin, Greg Swanson & Clara Y. Kim on April 29, 2019

Posted in Civil Liability, Federal Regulation - U.S., FTC, Information Security, SEC

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works. But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for…
Continue Reading

The FTC Moves Toward a Rules-Based Approach to Cybersecurity Regulation for Financial Institutions

By Avi Gesser, Kelsey Clark, Jennifer E. Kerslake & Eric McLaughlin on April 8, 2019

Posted in Federal Regulation - U.S., FTC, Proposed Regulations

In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation. Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into…
Continue Reading

Alternative Data Goes Mainstream, and Gets Increased Attention from Regulators

By Avi Gesser, Eric McLaughlin, Clara Y. Kim & Sumeet Sanjeev Shroff on February 25, 2019

Posted in Cyberaware, Federal Regulation - U.S., Gramm-Leach Bliley Act, NY Department of Financial Services, State and U.S. Territory Regulation

In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative…
Continue Reading

Your Sensitive Information Was Accessed in a Government Hack? You May Have No Remedy.

By Avi Gesser, Shahira D. Ali, Kelsey Clark & Alicia Robinson on September 29, 2017

Posted in Cyberaware, Federal Regulation - U.S., SEC

In a statement issued on Wednesday, September 20th, the U.S. Securities and Exchange Commission (SEC) revealed that it was investigating a 2016 data breach of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database. The SEC does not believe that personally identifiable information was exposed, but the investigation is still…
Continue Reading

Davis Polk Memo – Banking Regulators Float Broad Cyber Risk Approach

By Avi Gesser on October 31, 2016

Posted in Board of Directors, Breach Guidance, Federal Regulation - U.S., Financial Sector, Information Security, Inter-Agency, Proposed Regulations, Vulnerability Remediation

We have issued a memo on recent proposed U.S. federal banking regulations that could significantly expand the existing cybersecurity regulatory framework for covered financial institutions. The Enhanced Standards intend to strengthen cyberattack preventative measures and post-attack responses.

Read the Full Memo »
Continue Reading

FinCEN Issues Advisory and FAQs on Cyber-Events and Cyber-Enabled Crime

By Avi Gesser on October 27, 2016

Posted in Federal Regulation - U.S., Financial Sector

FinCEN Issues Advisory and FAQs on Cyber-Events and Cyber-Enabled Crime (10/27)

On October 25, 2016 FinCEN issued an advisory and FAQs to financial institutions regarding their Suspicious Activity Report (SAR) obligations with respect to cyber-events, cyber-enabled crime, and cyber-related information as those terms are defined. The FAQs supersede previous FAQs …
Continue Reading