Peter Baldwin, Andy Taylor, Author at Discerning Data

New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations

A recent consent order between the New York State Department of Financial Services (“NYDFS”) and cryptocurrency trading platform, bitFlyer USA (“bitFlyer”), shows that the NYDFS continues to utilize an aggressive enforcement posture with respect to cybersecurity for regulated financial services companies. Notably, the bitFlyer consent order and other recent consent orders demonstrate that NYDFS is no longer waiting for regulated entities to experience a cyber-attack before commencing an enforcement action, and, instead, is using routine examinations to uncover and prosecute companies for failing to comply with the NYDFS’s cybersecurity regulations.

Background

In 2017, the NYDFS promulgated first-of-its-kind regulations establishing cybersecurity requirements for financial services companies. 23 NYCRR Part 500. These regulations were amended once and a proposed second amendment was published in late 2022, with final amendments expected to be adopted sometime later this year.

Continue reading “New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations”

Federal Court Holds Bank Liable For Business Email Compromise Losses

We have written on previous occasions about the rise in frequency and severity of Business Email Compromise (BEC) cyberattacks. As explained in other posts, BEC attacks are a type of phishing scam typically targeting companies in order to fraudulently direct payments of money to accounts associated with the attackers. Attackers typically target high-level executives or employees with access to financial systems. After the BEC attack, victims have typically had difficulty recovering the fraudulently misdirected funds, which are usually moved to offshore accounts very quickly.

However, a recent court decision in Virginia may have provided a roadmap for some BEC victims to seek compensation from the financial institutions that facilitate the fraudulent transfers of money. In Studco Bldg. Sys. US, LLC v. 1st Advantage Fed. Credit Union, WL 1926747 (2023), a United States District Court Judge held that one of the financial institutions involved in facilitating a BEC payment did not act in a commercially reasonable manner in allowing the transaction to take place. Because the financial institution acted negligently, the victim of the BEC was awarded a judgment of $558,868.71

Continue reading “Federal Court Holds Bank Liable For Business Email Compromise Losses”

NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500

On July 29, 2022, the New York Department of Financial Services (NYDFS) published the pre-proposed second amendment to its Cybersecurity Regulations, 23 NYCRR 500 (Part 500), that if adopted, would likely require numerous policy and operational changes. NYDFS sought comments to the pre-proposal through August 18, 2022. Although this amendment has been long-anticipated, the next step will be for NYDFS to formally publish the second amendment.

Effective in 2017, Part 500 was a first-of-its-kind state regulation that created mandatory cybersecurity and risk management regulations for “covered entities.” Part 500 defines Covered Entities as persons operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

Continue reading “NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500”

New York Department of Financial Services Announces $5 Million Penalty in Most Recent Cybersecurity Enforcement Action

On June 23, 2022, the New York State Department of Financial Services (NYDFS) announced the entry of a Consent Order in connection with its most recent cybersecurity enforcement action, which included a $5 million monetary penalty against Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (“Carnival Companies”), for violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (“Part 500”). In addition to the $5 million monetary penalty, the Carnival Companies also surrendered their insurance producer licenses and agreed to cease selling insurance to residents of New York.

According to the Consent Order, between 2019 and 2021, the Carnival Companies were the subject of four separate cybersecurity events, including ransomware and phishing attacks. All four of the cybersecurity events led to the exposure of nonpublic personal information (NPI) of both consumers and employees, including such information as names, addresses, birth dates, passport numbers, and in some instances, other sensitive information such as social security numbers and health information.

Continue reading “New York Department of Financial Services Announces $5 Million Penalty in Most Recent Cybersecurity Enforcement Action”

What Are Social Engineering Attacks? How Can You Protect Yourself? – A Faegre Drinker on Law and Technology Podcast

Social engineering attacks are at the core of all cyberattacks, as threat actors use many different types of psychological manipulation to kick off their cyberattacks. In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss welcomes Peter Baldwin — who focuses his practice in white collar criminal investigations and cyber-incident response — and they explore the ins and outs of social engineering attacks, how to identify them and how to defeat them.

In this episode with a special twist, Pete takes the “host microphone” and chats with Jason, who takes on the role of podcast guest tackling a number of questions, including:

What are the main underlying pillars of a social engineering attack? What is their foundation and what makes them successful?
How do the more common social engineering attacks work? Such as phishing, spear phishing, whaling, business email compromises, dumpster diving, smishing, vishing, catfishing, gas lighting and SIM swapping?
What are the top targets in health care, financial services and manufacturing?
What are some good defenses to help people prevent many of the more common social engineering attacks?

HHS Ransomware Report Details Revival of Dangerous LOTL Cyberattack

On May 5, 2022, the U.S. Department of Health and Human Services (HHS) issued a report entitled “Ransomware Trends in the HPH Sector” (HHS Report) that reviewed key cybersecurity threats and trends affecting the U.S. healthcare sector.

Continue reading “HHS Ransomware Report Details Revival of Dangerous LOTL Cyberattack”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Author: Peter Baldwin