The New York Department of Financial Services recently amended its Cybersecurity Regulation. The revisions aim to strengthen cybersecurity and technology controls to address evolving threats to consumer data and ensure the continued integrity of financial systems. Here are a few key elements of the amendments to Regulation and what we think will be their immediate impact on financial institutions.

‘Tis the season for the hustle and bustle of year-end holiday activities. With that comes the increased risk of cybercriminals exploiting the season to find vulnerabilities. This includes taking advantage of increased online transactions, employee vacations, and holiday gift-giving to launch attacks on organizations large and small. Below are some steps companies can consider taking to increase their defenses against the most common holiday cybersecurity threats:

As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

Data processing agreements are a standard part of business arrangements involving personal data due to the European Union’s General Data Protection Regulation as well as the ever-expanding number of U.S. consumer privacy statutes.

Amendments have recently been proposed to two of the three statutes to be enacted under Canada’s Bill C-27: The Digital Charter Implementation Act. The statutes that may be amended are the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act. The proposed amendments would beef up the protections in both statutes.

The Federal Trade Commission has approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act that creates a new data privacy regulatory reporting requirement for non-banking financial entities. Covered entities must notify the FTC within 30 days of discovery of a “notification event” that involves the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The new rule, announced on October 27, takes effect 180 days after publication in the Federal Register, meaning approximately May 2024.

Last week, we discussed action taken by three states, Texas, California, and Ohio, to enhance protection of children’s data online. In this second installment, we shift our attention to address the 2023 legislative efforts of three additional states: Utah, Arkansas, and Connecticut.

On Monday, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This Executive Order follows several other AI-related government initiatives, including the Blueprint for an AI Bill of Rights, the National Institute of Standards and Technology AI Risk Management Framework, the National AI R&D Strategic Plan, and the National AI Research Resource Roadmap.

Over the past few years, states have launched various legislative expansion efforts to enhance the protection of children on social media and generally online. For example, this summer, Texas Gov. Greg Abbott (R) signed into law the Securing Children Online through Parental Empowerment Act (SCOPE Act), which goes into effect September 2024. By doing so, Texas joins a multitude of other states that have passed similar legislation, including Arkansas, California, Connecticut, Minnesota, Ohio, and Utah. In part one of this two-part series, we discuss the child data protection laws in Texas, California, and Ohio.

California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law.