Photo of Erik Dullea

Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Keypoint: Section 500.17(b) of 23 NYCRR Part 500 (“Part 500”) requires all non-exempt Covered Entities regulated by the New York Department of Financial Services to submit their annual notices of compliance by April 15th.

Businesses that are subject to the NYDFS Cybersecurity Regulations have four weeks left to submit their annual notices of compliance or acknowledge their noncompliance. When the regulations were amended in 2023, several of the new requirements were phased in over two years. Businesses cannot simply re-use their notice from last year, without confirming that the new obligations were met and preparing for the requirements going into effect in 2025.  

Keypoint: New York has amended its data breach notification law twice in the last 60 days to (1) add a 30-day deadline for notifying affected residents, (2) clarify that covered financial entities must still notify the New York Department of Financial Services (NYDFS) in accordance with existing NYDFS cybersecurity regulations, and (3) expand the prior definition of “private information” to include medical and health insurance information.

In the last sixty days, the New York legislature twice amended its data breach notification law. In the below article, we discuss the amendments and takeaways for covered businesses.

Keypoint: The New York State Department of Financial Services (NYDFS) issued an industry letter outlining the threats posed to U.S. companies who hire remote technology workers linked to North Korea and may embezzle funds from their new employers.

On November 1, 2024, NYDFS issued guidance warning companies against an increasing risk posed from individuals applying for employment in IT roles who are in fact operating on behalf of North Korea. These applicants seek employment in order to infiltrate western companies’ computer systems and illicitly generate revenue for the North Korean regime.

Keypoint: The New York Department of Financial Services (NYDFS) circulated an industry letter offering guidance to NYDFS “Covered Entities” for assessing and managing AI-related cybersecurity risks, including threats malicious actors using AI and the risks associated with a Covered Entity’s own AI systems.

The NYDFS industry letter (“Letter”) recognizes that Covered Entities can leverage AI to enhance their cybersecurity posture. The department contends that doing so would bolster entities’ compliance with NYDFS cybersecurity regulation 23 NYCRR Part 500 (“Part 500”).

Keypoint: The Texas Attorney General reaches a first-of-its-kind settlement with a healthcare company that provides generative AI products. 

On September 18, 2024, the Texas Attorney General announced that it had reached a settlement with a Dallas-based artificial intelligence healthcare company. The Attorney General’s press release represents that it is a first-of-its-kind settlement, resolving allegations that the company deployed its artificial intelligence (“AI”) products at Texas hospitals while making false and misleading statements about the safety of its products. 

Keypoint: Companies onboarding AI products and services need to understand the potential risks associated with these products and implement contractual provisions to manage them.

With the rapid emergence of artificial intelligence (AI) products and services, companies using these products and services need to negotiate contractual provisions that adequately address the unique issues they present. However, given that this area is new and rapidly emerging, companies may not appreciate that the use of AI may raise unique contractual issues. Even if companies do realize it, they may not know what those provisions should state. In addition, many AI-related contractual terms are complicated and confusing, oftentimes containing new terms and definitions that companies are unfamiliar with handling. 

In the below article, we identify key considerations when reviewing or preparing AI-related contracts. Although there may be other considerations depending on the specific use case, the below considerations should provide the reader with a useful starting point for how to address this issue.

Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.

Keypoint: To advance the National Cybersecurity Strategy, the Office of the National Cyber Director is soliciting public comments to harmonize cybersecurity regulations, with comments due by October 31, 2023.

In March 2023, the White House released its National Cybersecurity Strategy (NCS), which envisions two changes in how the United States allocates roles, responsibilities, and resources in cyberspace:

  • Rebalancing the responsibility to defend cyberspace; and
  • Realigning incentives towards long-term investments to reward security and resilience.

This rebalance and realignment explicitly acknowledges that collaboration between private and public sector stakeholders will be necessary.

Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.

In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.