Net Neutrality 2017: The Battle Continues…

By Danny Restivo (posted 7/6/17)

On July 12, 2017, a number of website landing pages will display “blocked,” “please upgrade,” or “paying customers only” banners. Fortunately for active users, the banners will only last 24 hours. These protest banners (example below) will be part of The Day of Action”, which is supported by the likes of Netflix, Amazon, Facebook, Twitter, GitHub, Reddit, OKCupid, Etsy, and a broad coalition of tech, media/social media, e-commerce, and other companies that peg their livelihood to the internet. The campaign aims to raise awareness regarding the Federal Communication Commission (FCC)’s proposed plan to roll back net neutrality measures later this summer.

Just two years ago, the FCC classified internet service providers as carriers under Title II of the Telecommunications Act. The decision forced ISPs to face regulatory measures like public utilities, while ensuring all ISPs treat content equally. Under President Donald Trump’s guidance, the FCC has targeted the regulation, drawing a number of large companies into a fray that may decide how online audiences view content.

The FCC’s net neutrality establishes three rules:

  1. Broadband providers can’t block access to legal content, applications, services or non-harmful devices.
  2. ISP’s can’t impair or reduce lawful internet traffic on the basis of content, applications, services or non-harmful devices.
  3. They may not favor some internet traffic over other internet traffic in exchange for consideration of any kind—no paid prioritization or fast lanes.

“The Internet is the most powerful and pervasive platform on the planet. It’s simply too tom_wheeler_fccimportant to be left without rules and without referees on the field,” said Tom Wheeler, the former chair of the Federal Communications Commission, following the FCC’s 3-2 vote in favor of Net Neutrality in 2015. “Today is a red-letter day for Internet freedom, for consumers who want to use the Internet on their terms, for innovators who want to reach consumers without the control of gatekeepers.”

Since its implementation, the vote has drawn the ire of internet companies such as AT&T, Comcast, Oracle and Verizon. These industry leaders have cited government overreach, as well as limits to free speech and free market principles. Because net neutrality designates ISPs as “common carriers,” such as telephone companies, they are open to a host of other government regulations.

GOP leadership blasted the FCC ruling on similar grounds after it was approved in 2015.

“Overzealous government bureaucrats should keep their hands off the Internet,” Former House Speaker Rep. John Boehner (Ohio-R) said in a statement after the ruling. “More mandates and regulations on American innovation and entrepreneurship are not the answer, and that’s why Republicans will continue our efforts to stop this misguided scheme.”

Image result for net neutrality

Cable companies spent $44 million in lobbying efforts (including other issues besides net neutrality) during the 2015 showdown. Meanwhile, neutrality proponents like Amazon, Facebook and Alphabet Inc (formerly Google), paid $35 million in lobbying efforts that year.

Following his inauguration in January 2017, Trump enlisted the help of three net neutrality opponents to assist his FCC transition from Democratic to Republican control. On January 23, Trump appointed Ajit V. Pai to Chairman of the FCC. The former attorney for Verizon was one of two Republican votes against the 2015 decisions (Pai and Michael O’Rielly were the lone dissenters in the commission’s ruling).

Shortly after the transition, Congress overturned Obama-era internet privacy protections—a Republican bill removed regulations requiring individual permission before ISP’s could sell users data. Only a few days later, White House Press Secretary Sean Spicer announced the President’s goals for reversing net neutrality during a March 30 press briefing. A month later, Pai unveiled plans to loosen government oversight of the internet during a speech at the Newseum in Washington, D.C.

“Two years ago, I warned that we were making a serious mistake,” said Pai. “It’s basic economics. The more heavily you regulate something, the less of it you’re likely to get.”

On May 18, the FCC voted 2-1 in favor of moving forward with rolling back the Obama administration’s Net Neutrality regulation. “The Restoring Internet Freedom Notice of Proposed Rulemaking” does not include specific details on how the FCC will remove Net Neutrality regulations, however the proposal does allow for a 90-day public comment period. The FCC will stop receiving comments on July 18, but will allow a second 30-day commenting period for replies ending on August 18.

The FCC’s proposal includes three key tenants.

  1. Removes Title II classification from ISP’s
  2. Returns classification of mobile broadband internet carriers to private mobile service
  3. Eliminates “the catch all internet conduct standard created by the Title II order”

Mignon Clyburn, a Democrat who previously voted for net neutrality, remained the lone dissenter during the May 18 vote.

“If you unequivocally trust that your broadband provider will always put the public interest over self-interest or the interest of their stockholders, then the ‘Destroying Internet Freedom’ [proposal] is for you,” she said after the vote.

Since FCC announced its proposal, the President has tapped two more members to serve on the commission. On June 14, Trump nominated Democrat Jessica Rosenworcel, who previously served as commissioner until her term ended in 2016. Two weeks later, Trump nominated Republican Brenda Carr, a former FCC aide to chairman Pai.  Carr’s selection solidifies a 5-person commission. According to the rules, no more than three members of the commission may be of the same political party; if both Carr and Rosenworcel are confirmed, Republicans would have a 3-2 majority.

In conjunction with the commission’s plan, Sen. Mike Lee (Utah-R) introduced S. 993: “the Restoring Internet Freedom Act “in early May. With nine other cosponsors, the proposed legislation would prohibit the FCC from classifying Internet Service Providers as Title II carriers ever again. The bill—Lee introduced an identical version nearly a year ago—would require legislative action to implement net neutrality in the future. The bill has been referred to the committee on Commerce, Science and Transportation.

Lee, along with Senate cosponsors Ted Cruz (Texas-R) and Ron Johnson (Wisc.-R), penned an opinion piece about internet freedom in the Washington Post on May 4.

“We reject the idea that the federal government should control the Internet. That’s why we have introduced the Restoring Internet Freedom Act, which will complement Pai’s efforts to repeal the 2015 Internet takeover by preventing the FCC from issuing any similar regulations in the future.”

Meanwhile, 13 Democratic Senators signed a letter supporting the FCC’s Net Neutrality rules which was published in Tech Crunch on May 17.

“By proposing to take away the existing net neutrality protections, President Trump’s FCC is threatening to take away your ability to have free and open use of the internet. This proposal will have profound impacts on the way all of us watch movies, listen to music, do homework, talk to family, consult with a doctor, pay bills, and conduct business. Taking away these rules benefits no one except cable, telephone, and wireless broadband companies.”

The Internet Association, which represents Facebook, Google, Amazon, Netflix and other internet giants, released a white paper titled “Principles to Preserve and Protect an Open Internet” on June 21.  The paper outlined the “substance of the underlying rules” behind the FCC’s Net Neutrality. The paper contains “six principles and policies for preserving a free and open internet by which all proposals and potential changes to the rules will be judged.”

Principles to Preserve and Protect and Open Internet:

  1. Net neutrality rules preserve the success of the internet in driving economic growth.
  2. The FCC’s 2015 rules are working and the entire broadband internet ecosystem is thriving.
  3. Forecasting rules remain necessary to preserve and protect an open internet.
  4. Specific net neutrality rules are needed to preserve an open internet. These rules include: no blocking, no throttling, no paid prioritization, no unreasonable interference or disadvantaging of content by ISPs, and transparency and disclosure requirements.
  5. Open internet protections should apply to broadband internet access providers on a platform-neutral basis.
  6. Strong and effective enforcement by the FCC of net neutrality rules is critical to ensuring that the benefits of the rules are realized.

The paper also states, “a free and open internet remains vital to preserving and protecting the virtuous circle of broadband innovation that benefits edge-based innovators and entrepreneurs, businesses, ISPs, and, above all, consumers.”

It also said, “undoing the existing light touch rules will create uncertainty among edge providers, innovators, and consumers, and would threaten to unravel the most dynamic segment of our economy. Instead, policymakers should seek to preserve the current rules and ensure that they remain on a firm legal footing.”

In addition to large companies supporting net neutrality, more than 800 startups, innovators, entrepreneurs and investors from all 50 states sent a letter to Pai and the FCC.

“Without net neutrality, the incumbents who provide access to the Internet would be able to pick winners or losers in the market,” the letter reads. “They could impede traffic from our services in order to favor their own services or established competitors. Or they could impose new tolls on us, inhibiting consumer choice…Our companies should be able to compete with incumbents on the quality of our products and services, not our capacity to pay tolls to Internet access providers.”

If net neutrality gets abolished, companies like Verizon, Comcast, Oracle and AT&T have said they can now reinvestment on infrastructure and broadband technology in communities throughout the United States.

“We also support Chairman Pai’s proposal to roll back Title II utility regulation on broadband,” Kathy Grillo, Verizon senior vice president and deputy general counsel, public policy and government affairs, said in a statement released on April 26. “Title II (or public utility regulation) is the wrong way to ensure net neutrality; it undermines investment, reduces jobs and stifles innovative new services. And by locking in current practices and players, it actually discourages the increased competition consumers are demanding.”

AT&T Chairman and CEO Randall Stephenson echoed Grillo’s comments.

“AT&T continues to support the fundamental tenets of net neutrality. And we remain committed to open internet protections that are fair and equal for everyone,” he said. “The bipartisan, light-touch regulatory approach that Congress established at the internet’s inception brought American consumers unparalleled investment in broadband infrastructure, created jobs and fueled economic growth. It was illogical for the FCC in 2015 to abandon that light-touch approach and instead regulate the internet under an 80-year-old law designed to set rates for the rotary-dial-telephone era.”

While many Silicon Valley tech companies have voice opposition to the FCC plan, the multinational computer corporation Oracle has levied support. In a letter sent to the FCC in early May, Oracle said “the stifling open internet regulations and broadband classification that the FCC put in place in 2015 – for just one aspect of the internet ecosystem – threw out both the technological consensus and the certainty needed for jobs and investment.”

Image result for federal communications commission 2017

Whether or not Pai and the FCC cement their proposal, the Net Neutrality rules will remain in effect through 2018.

Members of the public have until July 17 to comment on the FCC’s net neutrality proceeding. Reply comments will then be due on August 16, unless the FCC extends the process. After that, a final FCC decision on the net neutrality rollback could take several more months.

DMGS will continue to monitor this and provide updates as it develops.

Brett Goldman edited this report.

Technology Briefing: Hacking Vehicles

By Danny Restivo (Posted 5/3/17)

A few months ago, we looked at the legislative developments surrounding driverless vehicles–something that nearly all 50 states are thinking about. As driverless vehicles become reality and states continue to grapple with regulatory challenges, more threats have emerged, including the ability for hackers to take control of someone’s car whether they’re driving it or the car drives itself.

Recent technological developments have allowed drivers greater accessibility and convenience than ever before. Whether it’s a WiFi hotspot, a mobile car starter application, a locator connected to your phone or a computer located under the hood that monitors maintenance, new technology has given consumers and technicians a level of sophistication that was once the work of science fiction.

Unfortunately, a greater degree of convenience means an increased level of vulnerability. In August 2015, two hackers compromised a tech reporters’ vehicle on the highway (The Wired reporter was working on a story about the dangers of car hacking and was aware of their attempts). From a remote location, the two hacked into the reporter’s 2014 Jeep Cherokee and controlled the vehicles steering and brakes from a computer more than 10 miles away. Ultimately, the reporter’s car ended up in a ditch (no one was injured). The story grabbed public attention and Fiat Chrysler recalled more than 1.4 million vehicles, including Ram, Dodge, Jeep and Chrysler vehicles. A similar organized hack occurred in June 2016 when a British security firm purchased a 2017 Mitsubishi Outlander and successfully disabled the vehicles alarm system. Nissan, Tesla and Chevy have all experienced similar breaches in their vehicles computer systems.

The hacks underscore a growing concern among regulators and legislators that automakers haven’t safely created communication systems. In light of these security vulnerabilities, the FBI, The Department of Transportation and the National Highway Traffic Safety Administration issued a public service announcement in March 2016.

“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the statement said. “Therefore, the FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”

They added: “Vulnerabilities stemming from wireless communication, such as a cellular phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi, can put drivers at significant risk,” the statement also included several best practices for minimizing cybersecurity risks:

  • Ensure vehicle software is up to date
  • Be aware of making any modifications to vehicle software
  • Exercise discretion when connecting third party devices to a vehicle
  • Be aware of who has physical access to your vehicle

If you end up a victim of a car hack:

  • Check for outstanding vehicle recalls or vehicle software updates
  • Contact the manufacturer or authorized dealer
  • Contact the National Highway Transportation Safety Administration
  • Contact the FBI

The NHTSA and the FBI also suggested that automakers and auto companies should consider the full life cycle of their vehicles, while creating a rapid response and recovery system to help stem cybersecurity incidents. With the introduction of autonomous driving technology by companies like Tesla Motors, Uber, and others, yet another layer of vulnerability has complicated the issue. In September 2016, the NHTSA issued a framework for states to regulate self-driving cars, but critics fault it for its lack of focus on car hacking. A 2016 report from the Government Accountability Office, an independent watchdog organization, said the Department of Transportation had not taken enough steps to help prevent car hacking.

“Until [DOT] develops such a plan … the agency’s response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take,” the report stated.

Shortly after hackers showcased their ability on a 2014 Jeep Cherokee, Senators Ed Markey (D-Mass) and Richard Blumenthal (D-Conn) introduced the SPY Act of 2015 (Security and Privacy in Your Car).  The proposed legislation would have created a uniform regulatory standard for vehicle communication, while protecting a driver’s privacy data. The bill would also have created a “cyber dashboard” to inform the public of how well the vehicle protects drivers’ security and privacy.  While Markey and Blumenthal’s legislation did not make it out of committee during the 114th Congress, they recently reintroduced the SPY Act legislation in March as S. 680, along with a reintroduction of the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber Air) Act (as S. 679 in the 115th Congress).

“This critical legislation will help protect the public against cybercriminals who exploit advances in technology like wireless-connected aircraft and self-driving cars,” said Blumenthal in a release following the reintroduction. “As technology rapidly advances, we must ensure that auto and airline industries protect their systems from cybersecurity attacks. Security and safety cannot be sacrificed as we achieve convenience and promise of wireless progress.”

Markey and Blumenthal cited a need to reintroduce the legislation because of an increased vulnerability in our transportation systems. After Uber unveiled plans to use driverless cars in Pittsburgh in September, the National Highway Transportation Safety Administration unveiled a federal framework for the technology to prosper, giving states a significant degree of sovereignty. However, some believe the NHTSA’s mandate didn’t go far enough in solving technological vulnerabilities in vehicles. Conversely, tech researchers and developers fear any federal regulatory framework will not ensure safety because cyber technology often outpaces the law, making hacks more accessible.

In a bipartisan effort, the House introduced a new piece of legislation to help safeguard drivers. Representatives Ted Lieu (D-CA) and Joe Wilson (R-SC) have cosponsored the Security and Privacy in Your Car Study Act of 2017. Compared to the senate bill, the House bill would only perform a study of best practices.

While federal lawmakers debate the best path forward, some states have taken their own steps to improve cybersecurity in vehicles. In Michigan, home of the American auto industry, state lawmakers have decided to use deterrence as a weapon against car hacking. In August, the state senate unanimously passed a law that would increase the penalty to life in prison if the interference of a vehicle’s computer system resulted in death. According to state law, there’s a 10-year sentence and $50,000 fine for anyone who tampers with the computer system of a driverless vehicle that results in injury.

Virginia Governor Terry McAuliffe announced a public-private commission in May 2015 to help protect state troopers against cyberattacks. Just prior to the announcement, The Old Dominion became the first state to create its own information and analysis sharing organization to help prevent against cyber-attacks. As part of its public safety initiative, researchers hacked into two Virginia State Trooper vehicles; a 2012 Chevrolet Impala and a 2013 Ford Taurus. Researchers from the University of Virginia and a few private tech companies, hacked into the vehicles control system before meddling with the gear shift, instrument panel, car locks, trunk and accessing the vehicles Bluetooth and key fob. While the organized hack was an attempt to raise awareness about the seriousness of car hacking, Governor McAuliffe continued a call for voluntary partnership between private and public entities in an effort to prevent car hacks.

While Michigan and Virginia pursue preventative action against car hacking, many state legislative bodies have tabled the issue. Every state has some sort of law on computer hacking, but none (besides Michigan) have laws that specifically deal with hacking vehicles. Meanwhile, New York University, University of Nevada, North Dakota State University, and others, have taken steps in research and development to create cybersecurity systems for self-driving cars. Furthermore, The Oak Ridge National Laboratory in Tennessee has begun experimenting with electronic control systems to help protect the federal government’s automotive fleet.

“Car hacking remains a significant issue for automakers and regulators, but it hasn’t spurned the federal government into action, just yet” says Brett Goldman, DMGS Manager of Special Projects. He adds that “it’s safe to say that at some point in the future, car hacking will receive greater public scrutiny, but whether that comes as an issue of legislative and regulatory foresight or as a reactionary measure to the unthinkable remains to be seen.”

 

Industry Overview: Stem Cell Research

By Danny Restivo (3/17/17)

In 2016, Cell Stem Cell, a leading medical journal for regenerative medicine, released a study showing 570 stem cell treatment facilities in the United States. In their advertisements, many of these clinics lauded an ability to treat degenerative diseases with stem cells. Research suggests that stem cells might be useful in the treatment of certain diseases like Parkinson’s, ALS, or arthritis, among others. However, many scientists question the legitimacy of these claims, citing a need for more research and definitive trials. While the Food and Drug Administration allows clinics to inject patients with their own stem cells, they prohibit “manipulation” of these cells.

Stem cells became the center of controversy in 2001 after President George W. Bush banned federal funds from stem cell research using human embryos. In recent years, scientists have circumvented this ethical dilemma by culturing and rejuvenating stem cells from healthy adults.  Doctors can now take cells, such as a skin cell, and repurpose it back its early “pluripotent” stage where it can then turn into any cell, such as one that serves heart tissue. Whether these cells prove effective in treating degenerative conditions remains in question, but it hasn’t stymied enthusiasm from patients seeking treatment for chronic ailments.

The FDA allows clinics to inject patients with stem cells under certain criteria. However,many of these clinics flout 2000px-stem_cell_treatments-svgFDA regulations, including a stipulation on “minimal manipulation,” and a mandate that stem cells must come from a patient’s body. These clinics also sidestep guidelines by framing their work as experimental and research-driven. Furthermore, a recent study revealed many unregulated clinics use cells extracted from fat tissue, but the FDA says there’s no evidence they work. For example, some clinics advertise using cells from fat to help treat neurological disorders like Parkinson’s or Multiple Sclerosis. Unfortunately, fat cells do not normally control neurological movement. However, these clinics point to a number of personal stories that ultimately endorse stem cell treatment, including high profile athletes.

After experiencing a ligament tear in his elbow that ended his 2016 season, Los Angeles Angels pitcher Garret Richards opted to receive stem cell treatment instead of the invasive Tommy John surgery. In the case of Richards, doctors extracted bone marrow from his pelvis before injecting the plasma into his injured elbow. In February, Richards was at spring training throwing a fastball at 98 mph. New York Mets Pitcher Bartolo Colon received similar treatment in 2011 to help repair his shoulder, and continues to pitch at 43-years-old. While he’s never publicly admitted it, reports have surfaced that quarterback Peyton Manning sought stem cell treatment in Europe after suffering a neck injury with the Indianapolis Colts in 2011.

While some believe stem cells have rejuvenated athletic careers, others point to regenerative medicine’s lifesaving potential. Sarah Hughes, a 25-year-old from Texas, was born with a rare form of juvenile arthritis. Because of immense pain, she was hospitalized for a significant portion of her youth, weighing only 83 pounds at one point. In 2014, she began seeking stem cell treatment. She had her own stem cells cultured in a Houston lab before traveling to Mexico to undergo treatment. FDA law does not allow a clinic to inject her with manipulated stem cells in the United States. A healthy Hughes attended President Donald Trump’s recent address to Congress as the guest of Rep. Pete Olson (R-TX). Trump referenced the plight of Hughes and Megan Crowley, a 20-year-old Notre Dame Sophomore, during his speech. Like Hughes, Crowley was born with a rare disease and did not expect to live past a few years, but sought regenerative treatment.

In his speech, Trump referenced a need to cut federal regulations on companies seeking to innovate new treatment methods.

“..our slow and burdensome approval process at the Food and Drug Administration keeps too many advances, like the one that saved Megan’s life, from reaching those in need. If we slash the restraints, not just at the FDA but across our Government, then we will be blessed with far more miracles like Megan.”

In September, Hughes spoke in Maryland during an FDA-hosted public hearing on potential stem cell regulations. While certain speakers urged for looser stem cell regulations, others suggested caution and cracking down on those flouting the law. The FDA’s rules are pending, but the agency has only cleared one stem cell therapy product, Hemacord, which helps to restore low blood counts with patients having certain blood disorders. Conversely, the FDA officials have only sent one warning letter to a stem cell clinic in California.

Although progress looms, troubling stories regarding unregulated stem cell clinics have surfaced. In some cases, patients seeking alternative treatment have traveled to Russia, 13982409504_61de86a0ec_bMexico or Europe only to return home and to have their conditions worsened with malignant tumors. Doctors and researchers say stem cells can divide rapidly, creating tumors and other mutations. While most of these cases have occurred overseas, doctors and researchers see it as cautionary tale for a treatment that needs further research and oversight.

In August, the National Institute of Health announced it would lift its ban on funding research that uses human stem cells and animal embryos. The ban’s removal comes after research offered potential for growing human tissue and organs in animals. In one case, a team of researchers found that putting rat stem cells into the embryo of a mouse ultimately lead to a rat pancreas in the mouse. The NIH is now interested in injecting human stem cells into pig embryos in an effort to create human kidneys or livers. However, the NIH would continue a ban on funding any research that mixes animal embryos with human egg or sperm. Many people have questioned the ethics surrounding the injection of human stem cells into animal embryos, but the research could prove invaluable for people in need of a life saving organ transplant.

In light of these research developments, analysts believe the stem cell market will significantly increase in the next five years. Predictions vary, but a March report from a French-based research firm says the stem cell therapy market will grow by 11 percent from 2016 to 2021, totaling $145.8 million. Another marketing research firm predicted the entire global stem cell market hitting $297 billion by 2022. Both reports cited an increase in private and public partnerships, the evolution of stem cell therapies and a belief that looser regulations in the United States will help accelerate the market.

While President Trump has not made definitive public statements on embryonic stem cell research, his Secretary of Health and Human Services, Tom Price, has long opposed federal funding from embryonic stem cell research. A view echoed by Vice President Mike Pence. Now that embryonic stem cell research has taken a back seat to pluripotent stem cell research, it’s unclear what the administration’s stance is on regenerative medicine.

Looking Ahead: The Intersection Between Cyber Security Regulation and the Financial Sector

By Danny Restivo

On September 13, The New York State Department of Financial Services (NYDFS) proposed a law calling for all regulated financial institutions in the Empire State to enact a list of cybersecurity measures.[1] The proposal requires banking, insurance, and financial services companies under the jurisdiction of the NYDFS to adopt and maintain a strong cybersecurity program.

Among the guidelines, the proposed regulation requires organizations (termed as “covered entities”) to designate a Chief Information Security Officer (CISO) to oversee cyber security programs and procedures. The mandates also include oversight measures for information shared by or with third parties, including law firms, accounting services, and marketing groups.[2]

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Andrew M. Cuomo in a statement from the New York State Department of Financial Services. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”[3]

Currently, the proposed regulation is open to a 45-day public commenting period after it was published on September 28 in the New York State Register. If the proposal is adopted, covered entities will have 180 days from January 1, 2017 to comply with its requirements.
The proposal aims to protect consumers, as well as financial institutions from an increase in cyber-attacks. In 2015, large banks in the Philippines, Vietnam, Bangladesh and Ecuador experienced major hacks that netted millions for cybercriminals.[4]  In light of these high-profile incidents, a number of large financial institutions have invested in secure digital infrastructures. As a result, many organizations already fall in-line with New York’s proposal. However, many smaller covered entities have not made the same investments, and if the law is approved, they will be forced to make costly upgrades.[5]
Critics opposed to the regulation say the new guidelines overlap with mandates set forth by the Federal Financial Institutions Examination Council (FFIEC), an interagency that includes the Federal Deposit Insurance Corporation, the Federal Reserve Board of Governors and the Consumer Financial Protection Bureau.[6] Although the FFIEC proposal has many of the same requirements, the NYDFS goes further in calling for cyber security assessments, notification of authorities within 72 hours of a breach and the appointment of a CISO.

While Cuomo dubbed the legislation a “first-in-the-nation,” other states have enacted similar regulation and guidance regarding cybersecurity. The Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth requires every business holding personal information on residents to comply with certain security safeguards.[7] Moreover, state authorities around the country have provided organizations with similar instructions for the adoption of cybersecurity standards. In California, the Attorney General’s office publishes an annual report that includes specific practices for “reasonable security measures” that align with the states information security statutes. These recommendations are not requirements, allowing organizations the flexibility to craft a cybersecurity program that best responds to their industry-specific vulnerabilities.[8]

Eric Martins and Brett Goldman of DMGS agree: “Ultimately, the NYDFS is far more prescriptive than any current state-authored regulation,”  said Martins. While organizations outside the Empire State may want to ignore the NYDFS proposal, other governmental agencies have recognized the need to establish “minimum standards” for the protection of consumer-sensitive information.[9] If approved, New York’s cyber security regulation will be the first and it will serve as an important model for other the efforts of other states’ that pursue comparable legislation. “I think the bigger question here” adds Goldman, “is how quickly other states will take notice and make sure that their financial institutions and other businesses are proactive in protecting themselves from Cyber vulnerabilities”

[1] “Governor Cuomo Announces Proposal of First-In-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions.” New York Department of Financial Services, Sept 13, 2016. https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-first-nation-cybersecurity-regulation-protect-consumers-and

[2] Bucsescu, Marle and Waxman, Matthew. “NY State Cyber Regulations for Banks.” Lawfareblog.com, Sept. 19, 2016. https://www.lawfareblog.com/ny-state-cyber-regulation-banks-model.

[3]Cuomo

[4] Pagliery, Jose. “Global Banking System: What you need to Know” CNN Money. May 28, 2016. http://money.cnn.com/2016/05/27/technology/swift-bank-hack/

[5] Taylor, Harriet. “Critics are Skeptical of New York’s Proposed Financial Security Laws.” CNBC. September 26, 2016. http://www.cnbc.com/2016/09/26/critics-are-skeptical-of-new-yorks-proposed-financial-cybersecurity-rules.html

[6] Jacob, C. Reade; Mao, Mark C.; Raether, I. Ronald Jr., and Taylor, Ashley L. “NY Proposes Regulations Requiring Financial Services Companies to Implement Cyber Security Measures.” Consumer Financial Services Law Monitor. September 26, 2016. http://www.consumerfinancialserviceslawmonitor.com/2016/09/ny-proposes-regulations-requiring-financial-services-companies-to-implement-cyber-security-measures/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

[7] Jacob, C. Reade; Mao, Mark C.; Raether, I. Ronald Jr., and Taylor, Ashley L

[8] Harris, Kamala.  “California Data Breach Report: February 2016.” California Department of Justice.
https://oag.ca.gov/breachreport2016

[9] Roberts, Jeff John. “Look Out Companies, Here Comes the Cyber Regulations.” Fortune, September 25, 2016.
http://fortune.com/2016/09/25/cyber-regulations/

Brett Goldman edited this report