July 27, 2021

Volume XI, Number 208

Advertisement

July 27, 2021

Subscribe to Latest Legal News and Analysis

July 26, 2021

Subscribe to Latest Legal News and Analysis

NY Department of Financial Services Issues Cyber Fraud Alert to Regulated Entities Using Instant Quote Websites

On February 16, 2021, the New York Department of Financial Services (“NYDFS”) issued a Cyber Fraud Alert (the “Alert”) to regulated entities in light of a growing campaign to steal Nonpublic Information (“NPI”), as defined under New York law, from public-facing websites that provide instant quotes for products like auto insurance (“Instant Quote Websites”). The NYDFS learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver’s license numbers. NYDFS attributes the growing threat activity, in part, to heightened fraud during the COVID-19 pandemic. As we previously reported, NYDFS issued guidance regarding cybersecurity during the pandemic in April 2020.

The Alert (1) calls for all regulated entities with public-facing websites to immediately remediate any security flaws; (2) reminds regulated entities to report Cybersecurity Events as promptly as possible and within 72 hours at the latest pursuant to New York cybersecurity requirements for financial services companies; and (3) asks that attempted thefts of NPI from public-facing sites promptly be reported to NYDFS.

The Alert contains additional information on detecting data theft and states that all regulated entities that use Instant Quote Websites immediately should review (1) data analytics and website traffic metrics for spikes of quote requests and (2) server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.

Lastly, the Alert provides recommendations to secure data, noting that (1) regulated entities should review whether it is necessary to display any NPI (even redacted NPI) and (2) NPI should not be displayed on public-facing sites unless there is a compelling reason to do so. NYDFS’ recommended steps for entities maintaining public-facing sites displaying or transmitting NPI include:

  • Conducting a thorough review of security controls, including SSL, TLS, HSTS and HTML configurations;

  • Verifying and, if possible, limiting access that users have to manipulate website content using web developer tools;

  • Confirming that data redaction and obfuscation solutions for NPI are properly implemented;

  • Ensuring that privacy protections are up-to-date and adequately protect NPI by reviewing who is authorized to view it;

  • Searching and scrubbing public code repositories for proprietary code; and

  • Blocking the IP addresses of suspected unauthorized users and considering quote limits per user session.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 53
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement