GDPR: Data Privacy Laws in Financial Services

Perficient Data & Analytics

My previous blog post addresses the reasons for the regulation and the requirements associated with the New York State Department of Financial Services (NYDFS) 23 NYCRR 500. Data protection must be designed into the development of business processes for products and services. An example is encryption, which renders the original data unintelligible and the process cannot be reversed without the correct decryption key.

NYDFS 500 and GDPR in Financial Services – Actions to Take Now

Perficient Data & Analytics

The first step any financial institution must take in its response to the laws is to evaluate its exposure and current capabilities in protecting sensitive business and customer data. Implement: Technical services are required to create/ update cybersecurity policies and procedures. For more information on NYDFS 500 and GDPR laws and regulations on the financial services industry, please download our guide here , or click below.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Historic Charges: First Enforcement Action Filed by New York Department of Financial Services Under Cybersecurity Regulation

Data Matters

On July 21, 2020, the New York State Department of Financial Services (NYDFS or the Department) issued a statement of charges and notice of hearing (the Statement) against First American Title Insurance Company (First American) for violations of the Department’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Alternative controls can be put in place if encryption is infeasible.

Kali Project Encryption and Isolation Using Vagrant and BitLocker

Perficient Data & Analytics

Create a BitLocker-protected virtual drive to provide “encryption at rest” data protection for your project files and data portability for archival purposes. Provision a clean Kali Linux virtual machine, configured with an encrypted virtual storage device that provides “encryption at rest” for the virtual machine itself. A configured and Vagrant-managed Kali virtual machine where the associated virtual storage device has been encrypted by Virtualbox.

Slack Launched Encryption Key Addon For Businesses

Security Affairs

Slack announced today to launch encryption keys that will help businesses to protect their data. Slack announced today to launch encryption keys that will help businesses to protect their data. Slack announced today to launch encryption keys that will help businesses to protect their data. What is the purpose of Enterprise Key Management if Slack really encrypts the data? Slack currently encrypts your data in transit and at rest.

NYDFS 500: Why the Regulation?

Perficient Data & Analytics

Previously, I discussed data privacy laws, specifically involving New York State Department of Financial Services (NYDFS) 23 NYCRR 500. Audit Trail: Securely maintain systems that (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and (2) include audit trails designed to detect and respond to harmful cybersecurity events.

New York State Expected to Increase Enforcement of Cybersecurity Practices

HL Chronicle of Data Protection

Companies should take note of two imminent developments in New York in the area of cybersecurity regulation: enforcement of the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (Regulation) and the effective date of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act or Act). Accordingly, companies outside of the financial and healthcare industries should pay particular attention to the new data security obligations in the Act.

Emergence of Blockchain in Finance Requires Secure, Streamlined Data Management

InfoGoTo

Blockchain in finance is advancing as financial services providers and regulators look into the different ways cryptocurrencies will impact payments, value exchange and other elements of the financial landscape. Some financial institutions see value in adding crypotocurrencies to their existing line of products and services. Financial Services blockchain cryptocurrency legislation recordkeeping

DataStax Advanced Security : Eat your vegetables first

Perficient Data & Analytics

Sarbanes Oxley, Basel II, the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) expose regulated industries to substantial reputational and financial risk. Cassandra’s TLS/SSL encryption is available between both the client and the database cluster as well as intra-node to provide for encryption for data in-flight. encryption.

Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

HL Chronicle of Data Protection

For example, the New York Department of Financial Services (‘NYDFS’) in March 2017 issued its Cybersecurity Regulation (23 NYCRR 500) (‘the NYDFS Cybersecurity Regulation’), a groundbreaking and far-reaching regulatory regime focused on financial institutions licensed in New York, including insurance companies.

Q&A: Here’s how Google’s labeling HTTP websites “Not Secure” will strengthen the Internet

The Last Watchdog

In a move to blanket the Internet with encrypted website traffic, Google is moving forward with its insistence that straggling website publishers adopt HTTPS Secure Sockets Layer (SSL). This makes any personal information and details of financial transactions typed on HTTP web pages easy pickings. It’s true that most financial services and big-name shopping websites have long ago moved to HTTPS.

EventBot, a new Android mobile targets financial institutions across Europe

Security Affairs

Security experts from Cybereason Nocturnus team discovered a new piece of Android malware dubbed EventBot that targets banks, financial services across Europe. Researchers from Cybereason Nocturnus team discovered a new piece of Android malware dubbed EventBot that targets banks, financial services across Europe. Most of the victims are financial banking applications across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.

Blockchain, Cybersecurity and Global Finance

Hunton Privacy

In the near future, blockchain may become the new architecture of a reinvented global financial services infrastructure. The technology – a distributed, consensus-driven ledger that enables and records encrypted digital asset transfers without the need of a confirming third party – is revolutionary to global financial services, whose core functions include the trusted intermediary role ( e.g. , payment processor, broker, dealer, custodian).

NYDFS Cybersecurity Regulations: A glimpse into the future

Thales eSecurity

The cybersecurity regulation ( 23 NYCRR 500 ) adopted by the New York State Department of Financial Services (NYDFS) is nearly two years old. Leading up to that date, companies have had to meet several milestones including hiring a CISO, encrypting all its non-public consumer data and enabling multi-factor authentication. Even though these regulations only apply to New York, financial institutions across the U.S.

Ransomware at IT Services Provider Synoptek

Krebs on Security

Synoptek , a California business that provides cloud hosting and IT management services to more than a thousand customer nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. A Sodinokibi attack earlier this month on Colorado-based IT services firm Complete Technology Solutions resulted in ransomware being installed on computers at more than 100 dentistry practices that relied on the company.

Experts linked ransomware attacks to China-linked APT27

Security Affairs

defense contractors , financial services firms, and a national data center in Central Asia. The hackers used the Windows drive encryption tool BitLocker to lock the servers. If APT27 focuses on cyberespionage, Winnti is known for its financial motivation.

NEW TECH: How ‘cryptographic splitting’ bakes-in security at a ‘protect-the-data-itself’ level

The Last Watchdog

Tech consultancy IDC recently estimated that global spending on security-related hardware, software and services is growing at a compound annual growth rate of 9.2% Cryptographic splitting has to do with encrypting data, splitting this encrypted data into smaller, random chunks, and then distributing those smaller chunks to several storage locations. At each storage location, yet another layer of encryption is added. And we keep the data encrypted all time.

Marriott Breach: More than 500 Million Guest Affected

Adam Levin

“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” Marriott disclosed in a statement. There is no clarity on credit cards, with the company at this time still unable to determine if the hackers were able to de-encrypt card numbers, but it is known that 327 million guests were exposed.

Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack

Security Affairs

The global shipping and mailing services company Pitney Bowes suffered a partial outage of its service caused by a ransomware attack. The Pitney Bowes company announced that a ransomware attack infected its systems and cause a partial system outage that made some of its service unavailable for some customers. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

New Obligations Under the NYDFS Cybersecurity Regulation Came Online in September

HL Chronicle of Data Protection

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) came into effect March 1, 2017 (see our previous publications: “ New York Department of Financial Services Cybersecurity rules revised and delayed ,” “ The ‘Final Final’ Is Here: NYDFS Cybersecurity Regulations ,” and “ A guide to NYDFS Cybersecurity Regulation’s March 1 implementation deadline ”). Encryption of Non-public Information (Section 500.15).

FTC Proposes Changes to GLB Privacy and Safeguards Rules

Hunton Privacy

The proposed amendments to the Safeguards Rule, which went into effect in 2003 and imposes data security obligations on financial institutions over which the Commission has jurisdiction, are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners. Financial Privacy U.S.

Tokenization: Ready for Prime Time

Thales eSecurity

For example, using a customer’s data to purchase goods from a merchant is different from using a customer’s data to identify a customer in a loyalty program or to provide health care services. And these identifiers are also used to access information for billing, order status, and customer service. Financial Services. Encryption and Tokenization. Encryption has been the preferred way to protect sensitive data, and it’s still valid for the majority of use cases.

A New Era for Data Protection

Thales eSecurity

The combination of our two companies creates the worldwide leader in digital security, protecting more data, transactions and identities than any other company and enabling tens of thousands of organizations to deliver trusted digital services to billions of individuals around the world. Global leadership in data encryption and key management. Global leadership in encryption for high-speed networks. It’s been an exciting week for everyone at Thales and Gemalto.

Cloud 55

Maze ransomware gang discloses data from drug testing firm HMR

Security Affairs

The attack took place on March 14th, 2020, when the Maze Ransomware operators exfiltrated data from the HMR’s network and then encrypt their systems. The Hammersmith Medicines Research is notifying impacted individuals via email the incident, the hackers stole data then employed ransomware to encrypt its systems. “Consider contacting CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration.

Air Canada data breach – 20,000 users of its mobile app affected

Security Affairs

22-24, 2018, it added that financial data was protected but invited to remain vigilant for fraudulent credit card transactions. Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards. Air Canada data breach – The incident was confirmed by the company and may have affected 20,000 customers (1%) of its 1.7 million mobile app users.

Q&A: Sophos poll shows how attackers are taking advantage of cloud migration to wreak havoc

The Last Watchdog

But there’s no doubt that the exodus to a much greater dependency on hybrid cloud and multi-cloud resources – Infrastructure-as-a-Service ( IaaS ) and Platforms-as-a-Service ( PaaS ) – is in full swing. New cloud PaaS services, such as shared storage, containers, database services and serverless functions etc. typically cannot have a security agent running on them, so it’s left up to the organization to securely configure these services.

Cloud 130

New Obligations Under the NYDFS Cybersecurity Regulation Came Online in September

HL Chronicle of Data Protection

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) came into effect March 1, 2017 (see our previous publications: “ New York Department of Financial Services Cybersecurity rules revised and delayed ,” “ The ‘Final Final’ Is Here: NYDFS Cybersecurity Regulations ,” and “ A guide to NYDFS Cybersecurity Regulation’s March 1 implementation deadline ”). Encryption of Non-public Information (Section 500.15).

New Obligations Under the NYDFS Cybersecurity Regulation Came Online in September

HL Chronicle of Data Protection

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) came into effect March 1, 2017 (see our previous publications: “ New York Department of Financial Services Cybersecurity rules revised and delayed ,” “ The ‘Final Final’ Is Here: NYDFS Cybersecurity Regulations ,” and “ A guide to NYDFS Cybersecurity Regulation’s March 1 implementation deadline ”). Encryption of Non-public Information (Section 500.15).

50 Ways to Avoid Getting Scammed on Black Friday

Adam Levin

Virtual credit cards similarly allow online shoppers to mask their financial accounts. Many financial institutions offer free transaction alerts that notify you when charges hit your account. SSLs ensure all data is encrypted. Shred financial documents.

New Trickbot module implements Remote App Credential-Grabbing features

Security Affairs

The new variant is being spread via spam emails that pose as tax-incentive notification purporting to be from the financial services company Deloitte. Trickbot also uses the encryption for the strings implemented via simple variants of XOR or SUB routines and also borrowed from the Carberp trojan source code the use of API hashes for indirect API calling.

Turning Aspiration into Action to Protect Financial Institutions

Thales eSecurity

While this event is still considered one of the most grandiose thefts, financial institutions today collectively face digital attacks that easily rival it. Theft and other data security incidents cost financial institutions millions of dollars and result in more consumer records being lost or stolen, year after year. Here’s a look at four common issues highlighted in the 2019 Thales Data Threat Report-Financial Services Edition and tips for overcoming them.

NYDFS Files First Cybersecurity Enforcement Action

Hunton Privacy

On Wednesday, July 22, the New York Department of Financial Services (the “NYDFS”) announced that it had filed administrative charges against First American Title Insurance Co. NYCRR 500.15: The requirement to implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit over external networks and at rest.

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Data Protection Report

The two-year transitional period under the New York State Department of Financial Services (“DFS””) Cybersecurity Regulation , 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Third-party service provider risk management program. However, covered entities will not be required to certify their compliance with the Regulation’s third-party service provider risk management provisions until February 15, 2020.

Whatever the future of payments, you can trust in a lack of trust

Thales eSecurity

The concept of payment, at its most fundamental, is simply about people agreeing to exchange goods or services. However, no matter how innovative these services are when it comes to the social relationships or the legal arrangements on which they depend, their ultimate success still comes down to trust – or rather, the lack of it. For this to happen requires some form of encryption to underpin it, with strong key management and signatures to ensure integrity and non-repudiation.

List of data breaches and cyber attacks in July 2019 – 2.2 billion records leaked

IT Governance

Department of Health Services email hacked exposing patient data (14,591). Hackers breach SyTech, a contractor for Russia’s national intelligence service (unknown). Maitland, FL, dentist says five months of patient records encrypted by ransomware (unknown). DNA testing service Vitagene left customer records online for years (3,000). Unprotected server at Brazilian financial services provider exposes customer data (unknown). Financial information.

It’s time to think twice about retail loyalty programs

Thales eSecurity

We had some results this year from the 100+ US retail IT security professionals that were surveyed for the 2018 Thales Data Threat Report that differed from every other segment we polled (healthcare, federal government, financial services). When the Target and Home Depot breaches happened there was a sizeable hit for several quarters if I recall the financial results – perhaps that’s no longer a the case.

Office of Foreign Assets Control: Making or Facilitating Ransomware Payments May Violate U.S. Sanctions

Data Matters

Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Treasury’s Financial Crimes Enforcement Network (FinCEN), OFAC is sending a clear signal that making ransomware payments with a sanctions nexus threatens U.S.

Federal Agency Data is Under Siege

Thales eSecurity

Its unique capabilities include the design and deployment of equipment, systems and services to meet complex security requirements. The 57 percent rate statistic is the highest of all verticals we measured in this year’s report (others include the healthcare industry, the retail industry, and the financial services industry) or any region surveyed. federal respondents used more than five Infrastructure-as-a-Service (IaaS) vendors.

Sorting Through the Whirlwind of News on the Proposed Equifax Settlement and Capital One Breach

ARMA International

The Consumer Financial Protection Bureau (CFPB) will get $100 million of that in civil penalties with another $175 million going to states and territories. Checking whether your data was affected and what compensation and services you may be entitled to is fairly easy (to find out, visit www.equifaxbreachsettlement.com ), but actually getting reimbursed may be tougher. On July 22, 2019, the Federal Trade Commission (FTC) announced that it had reached a proposed settlement.

FTC Seeks Comment on Proposed Changes to its GLBA Safeguards and Privacy Rules

Data Matters

Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act. Cybersecurity Enforcement Financial Privacy FTC Information Security Policy