backNY DFS’s Revised Cybersecurity Rules Are More Flexible, Still Mandatory For Banks And Financial Institutions – On December 28, 2016, the New York Department of Financial Services (“DFS”) issued a revised version of its proposed cybersecurity rule for banks, insurers, money service businesses, and regulated virtual currency operators who are licensed under New York’s banking, insurance, or financial services laws. This proposed rule would require financial entities to establish and maintain specific cybersecurity safeguards and procedures.
The original proposed rule, issued on September 13, 2016, was criticized by some organizations for various reasons. The proposed rule has been revised in several ways in response to industry comments. For example, financial institutions must now report only those cybersecurity events that (1) are required to be reported to any government or supervisory body, and (2) have a reasonable likelihood of materially harming the entity’s normal operations. The original proposed rule required entities to report any cybersecurity event to DFS within 72 hours, even if it was an unsuccessful attempt. The original proposed rule also required that regulated entities encrypt all sensitive data, including both data in transit and data at rest. The revised rule permits entities to secure sensitive data at rest without encryption using alternative compensating controls, if encryption is infeasible. Third-party oversight requirements have also been slightly relaxed in accordance with risks presented.
The revised proposed rule is subject to a 30-day comment period, which commenced on December 28, 2016. The rule is effective on March 1, 2017, with transitional periods ranging from six months to two years for various portions of the rule.
Reporter, Anush Emelianova, Atlanta, GA, +1 404 572 4616, aemelianova@kslaw.com.
New Jersey Senate Passes Law Requiring Notice Prior To Installation Of Remote Car Disabling “Payment Assurance Devices” – On December 19, 2016, the New Jersey Senate passed a bill requiring auto lenders to provide notice prior to installing “payment assurance devices” that can remotely disable an owner’s vehicle for failure to make a payment.
The bill defines a “payment assurance device” as “a device installed on a motor vehicle with global positioning system capability, starter interrupt capability allowing for the remote enabling or disabling of the motor vehicle, or both, and which is installed pursuant to a motor vehicle consumer’s financing agreement or lease agreement.”
In order to install a payment assurance device, an auto lender must first provide written notice of its installation to the purchaser at the time of purchase and not charge the purchaser for the installation.
For the auto lender to use the payment assurance device and disable the vehicle, the purchaser must be seven or more days in default “on any term under the financing agreement or lease agreement, including but not limited to the periodic payment due on the purchase or lease.” In addition, the purchaser must be provided at least seventy-two hours warning before the vehicle is disabled remotely. The purchaser must also be provided with the ability to start a disabled motor vehicle and use it for at least forty-eight hours in the event of an emergency. The bill does not address how responsive the auto lender must be to such a request, or what would qualify as an emergency.
Currently, there are no laws in the state of New Jersey that explicitly restrict the use of payment assurance devices. A bill co-sponsored by New Jersey Assemblymember Paul Moriarty in January 2015, A-4033, that would have prevented auto lenders from using payment assurance devices under any circumstances, did not make it out of chamber and was never advanced for a vote. Assemblymember Moriarty proposed A-4033 because of allegations of the use of payment assurance devices while the vehicle was in use. “We have had information about the use of these devices where people are driving down the highway and because they’re a day late on a loan, their car gets turned off while they’re driving and we’ve had people stranded at shopping centers with their kids and they weren’t able to start their car because it was turned off,” Moriarty said.
The legislation follows on the heels of research performed by Charlie Miller and Chris Valasek, who demonstrated that certain vehicle data access ports could be used to cause late model vehicles to behave in an erratic and unsafe manner.
The bill, A-756, first passed the New Jersey Assembly by a vote of 53-21, and cleared the New Jersey Senate by a vote of 25-11. The bill now goes to the desk of Governor Chris Christie.
The bill can be found here.
Reporter, Stephen Abreu, San Francisco, CA, +1 415 318 1219, sabreu@kslaw.com.
Also In the News
King & Spalding Energy Practice Publishes Article On Maritime Cybersecurity Regulation – In 2016, a number of institutions and organizations—both domestic and international—showed an interest in promoting maritime cybersecurity. Critical energy infrastructure has long been at the forefront of cybersecurity, both because it is a frequent target of cyberattacks and because of the potentially debilitating effects of a successful attack. However, maritime cybersecurity regulations will not necessarily target just the energy industry and are likely to come from a variety of sources, some of which may be unfamiliar to industry players. As we head into 2017, King & Spalding encourage members of the energy industry to recognize and prepare for maritime cybersecurity regulation that is unquestionably on the horizon domestically and internationally. The full text of King & Spalding’s article on this topic can be found here.
King & Spalding’s 2017 Cybersecurity & Privacy Summit – On Monday, April 24, 2017, please join the cybersecurity and privacy experts at King & Spalding for the 2017 Cybersecurity & Privacy Summit. This event is for legal and business professionals who want to participate in a discussion about the latest developments and strategies for data protection. King & Spalding will provide a registration link in the coming weeks.