On October 18, 2022, the New York State Department of Financial Services announced that EyeMed Vision Care LLC agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.
Continue Reading NYDFS Fines EyeMed $4.5 Million for Cybersecurity Violations

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach.
Continue Reading New York Attorney General Fines E-Commerce Parent Company for Failing to Properly Handle a Data Breach

On July 29, 2022, the New York Department of Financial Services posted proposed amendments to its Cybersecurity Requirements for Financial Services Companies. This blog entry provides highlights of the amendments.
Continue Reading Proposed Amendments to NY Financial Services Cybersecurity Regulations Impose New Obligations on Large Entities, Boards of Directors and CISOs

New York recently became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education requirements. The new requirement will take effect July 1, 2023.
Continue Reading New York Becomes First State to Require CLE in Cybersecurity, Privacy and Data Protection

On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.

Continue Reading China Issues Draft Provisions on Standard Contract for Cross-Border Transfer of Personal Information

On June 24, 2022, the New York State Department of Financial Services announced it had entered into a $5 million settlement with Carnival Corp., the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.
Continue Reading NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches