October 20, 2021

Volume XI, Number 293

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

NYDFS FAQ Provides Clarity on Breach Notification and Security Requirements

The New York Department of Financial Service recently clarified security incident notification requirements and the use of multi-factor authentication. On its FAQ page, the NYDFS added two new questions and answers for financial services companies subject to 23 NYCRR Part 500.

The first answer explains that covered entities must notify the NYDFS of security incidents that occur at a third-party service provider. Even if the third party notifies NYDFS on the covered entity’s behalf, covered entities still must directly notify the department. This requirement helps the NYDFS quickly identify threats and appropriately respond.

The second answer clarifies when covered entities must use multi-factor authentication. Namely, MFA should be used whenever accessing internal networks from an external network. This includes email, document hosting, and related services (whether on-premise or cloud-based). MFA may not be necessary if a covered entity’s CISO documents approval of similar or more secure access controls.

Putting it Into Practice: These updates highlight the importance of having proper breach notification procedures and security controls. Companies are reminded to notify the department of relevant breaches and to enable MFA by default for accessing internal networks.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 264
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Staff Attorney

Harrison Schafer is a staff attorney in the Intellectual Property practice group in the firm's Chicago office. He is a Privacy and Cybersecurity Fellow and a member of the Privacy and Cybersecurity Team. He is a certified information privacy professional (CIPP/E and CIPP/US) by the International Association of Privacy Professionals (IAPP).

Areas of Practice

As a fellow, Harrison’s practice focuses on publishing articles covering relevant legal developments in the privacy and cybersecurity space to...

312-499-6371
Advertisement
Advertisement
Advertisement