English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Language
English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Home
About us
About us
CV at a glance
Global reach
Pro Bono
What we do
Practice area
The team
Knowledge center
Insights & News
Client updates
Credentials
Doing business in Israel
Join us
Contact
Barnea Blog
© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Client updates
9 December 2024
by Avishay Klein
Masha Yudashkin
         
Antitrust and Competition
Banking & Finance
Capital Markets
Corporate
Employment
High Tech
Infrastructure
Internet
Litigation
NPO
Private Clients
Real Estate
Regulation
Tax

Cybersecurity Regulation Enforcement Tightens in NY, Highlighting a Broader Trend

The New York State Department of Financial Services (NYDFS) and the Attorney General’s office have recently imposed significant fines totalling $11.3 million on Geico and Travelers for data breaches that compromised the driver’s license numbers and other sensitive personal data of approximately 120,000 individuals. These enforcement actions highlight NYDFS’ growing commitment to hold companies accountable under the NYDFS Cybersecurity Regulation (23 NYCRR 500).

 

This case is part of a larger national trend, where state-level cybersecurity regulations are increasingly rigorous. Enforcement is tightening, and compliance requirements are expanding for organizations handling personal data, reflecting a growing emphasis on data protection across the U.S.  Israeli companies operating in the U.S. should pay close attention to these developments. Compliance with evolving cybersecurity regulations is critical to avoid penalties and safeguard consumer trust in an increasingly vigilant regulatory environment.

Key Takeaways

  • Stronger Regulatory Enforcement: The fines underscore the NYDFS’ commitment to enforcing cybersecurity regulations, particularly in response to breaches that expose consumer data to fraud.
  • Broader Regulatory Landscape: Beyond New York, states like California, Texas, and Illinois are implementing and enforcing stricter cybersecurity laws, signalling a broader shift toward heightened regulatory inspection at the state level. Currently, 19 states enacted specific privacy laws, in addition to Security Breach Notifications (SBN) laws in all 50 states. Furthermore, sectoral regulations updated and enforced by federal bodies, such as the FTC, add an additional layer of compliance obligations. Companies must adapt to this patchwork of state-level regulations to avoid significant penalties.
  • Data Breach Impact: The exposure of personal data was exploited for fraudulent unemployment claims, highlighting the consequences of inadequate data protection, including identity theft, reputational damage, and financial penalties.
  • Proactive Cybersecurity Measures: Companies must approach cybersecurity as a dynamic, ongoing process. Effective data protection strategies, including regular risk assessments and compliance monitoring, are essential to meet diverse state-level requirements and mitigate potential penalties.

 

Recommendations for Companies

To navigate this regulatory landscape and mitigate risks, companies should take the following steps:

  • Focus on Data Security: Employ robust data security practices, including encryption, regular vulnerability testing, safeguards such as CAPTCHA and automated bot detection tools, identity verification measures, etc.
  • Strengthen Compliance Frameworks: Establish comprehensive programs to meet varying state-level cybersecurity and privacy requirements, ensuring continuous monitoring of state and federal cybersecurity regulations to stay informed and to avoid penalties.
  • Establish Incident Management Procedures: Draft a procedure for dealing with data security incidents, including ongoing and periodic trainings for the legal council team, senior management, and IT personnel to ensure preparedness and alignment on roles and responsibilities during an incident.
  • Incident Response Planning: Develop and maintain effective incident response plans that align with the requirements of different jurisdictions, including timely breach reporting to promptly address and mitigate data breaches’ impact.
  • Leverage Expert Guidance: Work with legal and cybersecurity experts to interpret complex and overlapping regulatory requirements and implement best practices.

 

Conclusion

The fines imposed on Geico and Travelers reflect the NYDFS’s aggressive enforcement of cybersecurity standards and marks a significant moment in the rise of U.S. state-level regulations. Companies operating across multiple states must take proactive steps to enhance their cybersecurity posture and ensure compliance with the growing network of state laws. Proactively ensuring compliance not only mitigates risks but also builds trust with clients and stakeholders, demonstrating a commitment to data protection.

 

***:

Dr. Avishay Klein is a partner at Barnea Jaffa Lande and heads the firm’s privacy, cyber and AI department.

Adv. Masha Yudashkin is an associate in the department.

Tags: Cyber | Enforcement