Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services

Share

Introduction

On January 23, 2025, PayPal settled an enforcement action brought by the New York State Department of Financial Services (NY DFS) for failing to comply with cybersecurity regulations required for financial services businesses under the Department’s supervision.  The settlement, which included a $2 million fine and required remedial measures, arose out of a cybersecurity incident where hackers gained access to PayPal customers’ sensitive information contained on tax forms in PayPal’s systems.  As discussed further below, the incident highlights the importance of implementing an effective cybersecurity program and ensuring that employees are adequately trained to follow the policy in practice.

Summary of the PayPal Enforcement Decision

The NY DFS sets standards for cybersecurity practices among financial institutions through cybersecurity regulations established at 23 NYCRR Part 500.  These regulations require all DFS-regulated entities to establish and maintain a comprehensive cybersecurity program to protect consumers’ nonpublic information (NPI) and ensure the security of information systems.

Continue reading “Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services”

Oh No, Canada! Takeaways from the Indictment of a Canadian National Allegedly Responsible for $65 Million DeFi Cryptocurrency Theft

Share

On February 3, 2025, the U.S. Attorney’s Office for the Eastern District of New York (EDNY) unsealed an indictment against Andean Medjedovic, a 22-year-old Canadian national, for allegedly stealing approximately $65 million in cryptocurrency from two decentralized finance (DeFi) protocols, KyberSwap and Indexed Finance.  Medjedovic is charged with wire fraud, violation of the Computer Fraud and Abuse Act (“CFAA”) for unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering and money laundering conspiracy.  This case highlights the growing risks and vulnerabilities in DeFi platforms, which remain attractive targets for sophisticated cybercriminals.

Understanding the Alleged Scheme

DeFi platforms like KyberSwap and Indexed Finance operate on blockchain networks and use “smart contracts” to manage user transactions.  These smart contracts facilitate automated cryptocurrency exchanges by maintaining liquidity pools, which are funded by investors.  The indictment alleges that Medjedovic, a Canadian national, manipulated these smart contracts to drain funds from these pools, defrauding investors in the process through two different exploits.

Continue reading “Oh No, Canada! Takeaways from the Indictment of a Canadian National Allegedly Responsible for $65 Million DeFi Cryptocurrency Theft”

The UK Cyber Security and Resilience Bill

Share

Background

The UK government has recently announced that it plans to introduce a Cyber Security and Resilience Bill (Bill). The Bill seeks to update the 2018 Network and Information Security Regulations, which implemented the European Union (EU) NIS 1 Directive when the UK was a member of the EU.

A key driver behind the UK government’s plans is a desire to stay broadly aligned with evolving EU legislation, particularly with the significant expansion in scope of the new EU NIS 2 Directive. Once presented to Parliament, the Bill could become law by early 2026.

Continue reading “The UK Cyber Security and Resilience Bill”

NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500

Share

On July 29, 2022, the New York Department of Financial Services (NYDFS) published the pre-proposed second amendment to its Cybersecurity Regulations, 23 NYCRR 500 (Part 500), that if adopted, would likely require numerous policy and operational changes. NYDFS sought comments to the pre-proposal through August 18, 2022. Although this amendment has been long-anticipated, the next step will be for NYDFS to formally publish the second amendment.

Effective in 2017, Part 500 was a first-of-its-kind state regulation that created mandatory cybersecurity and risk management regulations for “covered entities.” Part 500 defines Covered Entities as persons operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

Continue reading “NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500”

OFAC Issues Sanctions Compliance Guidance for Virtual Currencies

Share

In October, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published new guidance for the virtual currency industry focusing on compliance with the financial industry’s obligations related to U.S. economic sanctions.

OFAC administers and enforces economic sanctions against targeted and/or sanctioned foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals.

As noted in the new guidance, virtual currencies now playing an increasingly prominent role in the global economy. The growing relevance of virtual currency, both as an investment and as a payment method, brings greater exposure to sanctions risks. Specifically, there is an increased risk that a sanctioned entity or an entity in a jurisdiction subject to sanctions might use virtual currency as an alternative to fiat currency in an effort to avoid U.S. sanctions. As such, the OFAC guidance specifically targets technology companies, virtual currency exchanges, virtual currency administrators, virtual miners, digital currency wallet providers, and users.

Continue reading “OFAC Issues Sanctions Compliance Guidance for Virtual Currencies”

How We Spent Our Summer Vacation or Summary of CCPA Amendments

Share

The long anticipated amendments to the CCPA were passed by the California Legislature in early September and now await Governor Newsom’s signature.  Some of the changes were “clean up” amendments to update cross references, standardize language, and generally address issues of drafting.  What follows is a summary of the most significant and substantive amendments:

Continue reading “How We Spent Our Summer Vacation or Summary of CCPA Amendments”

©2025 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy