Peter Baldwin, Author at Discerning Data

UK and US Announce Partnership on Science of AI Safety

On 1 April 2024, the UK and US signed a memorandum of understanding on the science of AI safety. This partnership is the first of its kind and will see the two countries work together to assess risks and develop safety tests for the most advanced AI models.

Following their announcement of cooperation at the AI Safety Summit in Bletchley Park last November, the UK and US have formally agreed to align their scientific approaches to AI safety testing, with plans to perform at least one joint testing exercise on a publicly accessible model. The partnership will take effect immediately and will see the two countries work together to tackle the safety risks posed by next-generation versions of AI. The agreement will facilitate collaboration between the UK AI Safety Institute (formed last November) and the US AI Safety Institute (which is still in its initial stages) and will include the sharing of vital information and research on the capabilities and risks associated with AI systems, together with the exchange of expertise through researcher secondments between the institutes.

Continue reading “UK and US Announce Partnership on Science of AI Safety”

NIST Releases Cybersecurity Framework 2.0

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 2.0 (CSF 2.0). CSF 2.0 represents the first major update to the Cybersecurity Framework, which was first released in February 2014. CSF 2.0 provides an increased focus on entities’ governance functions and broadens the CSF’s scope. For companies subject to state and federal standards demanding “reasonable security,” CSF 2.0 is particularly important because it could very well become the de facto standard of care under various cybersecurity and data privacy laws.

Focus on Governance

CSF 2.0 builds on the five high-level functions from CSF 1.0 (Identify, Protect, Detect, Respond, and Recover) by introducing a new core function—Govern. This function focuses on ensuring that an organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored. In particular, this new core function emphasizes that an organization’s cybersecurity framework must be (i) based on the organization’s individual circumstances, goals, and risk appetite; (ii) well established and communicated within the organization to ensure compliance and continuity; and (iii) continually reviewed and improved.

Continue reading “NIST Releases Cybersecurity Framework 2.0”

Cybersecurity Enforcement Update: NYDFS Adopts Final Amendments to its Cybersecurity Regulations and SEC Sues SolarWinds Executive

Recent activity by the New York Department of Financial Services (NYDFS) and the Securities and Exchange Commission (SEC) highlight the continued focus by government regulators on cybersecurity. As these and other regulators take an increasingly assertive enforcement posture, companies should be proactive about structuring their cybersecurity compliance programs to avoid fines, safeguard sensitive data, and protect their reputation.

NYDFS Finalizes Amendments to Cybersecurity Rules

In July, we wrote about ten notable updates proposed by NYDFS to its cybersecurity regulations. On November 1, the NYDFS announced that it had finalized amendments to 23 NYCRR 500.

Continue reading “Cybersecurity Enforcement Update: NYDFS Adopts Final Amendments to its Cybersecurity Regulations and SEC Sues SolarWinds Executive”

SEC Adopts New Cybersecurity Rule

On July 26, the Securities and Exchange Commission (“SEC”) finalized a much anticipated rule addressing cybersecurity risk management, strategy, governance, and incident disclosure. Public companies registered with the SEC will soon be required to report material cybersecurity incidents within four business days of determining the incident to be material and to make periodic disclosures regarding cybersecurity risk management, strategy, and governance.

Continue reading “SEC Adopts New Cybersecurity Rule”

Cybersecurity Enforcement Update: New York Department of Financial Services Announces Amended Cybersecurity Regulations and Latest Multi-Million-Dollar Cybersecurity Enforcement Settlement & FTC Settles Matter Involving Unsecured Genetic Data

Recent enforcement actions and announcements show that state and federal regulators are continuing to focus intensely on cybersecurity and data protection. Notably, the New York Department of Financial Services (“NYDFS”) recently issued the latest proposed amendments to its Cybersecurity Regulations. NYDFS also recently announced a $4.25 million cybersecurity consent order with OneMain Financial Group, LLC (“OneMain”). In addition, the U.S. Federal Trade Commission (“FTC”) recently announced a settlement with genetic testing company 1Health.io (“1Health”).

New Proposed Amendments to NYDFS Cybersecurity Regulations

The NYDFS recently announced updated proposed amendments to its industry leading cybersecurity regulations. These latest amendments follow public comments on earlier proposed amendments circulated in November 2022. If adopted, companies regulated by NYDFS would face several new requirements, including the following:

Continue reading “Cybersecurity Enforcement Update: New York Department of Financial Services Announces Amended Cybersecurity Regulations and Latest Multi-Million-Dollar Cybersecurity Enforcement Settlement & FTC Settles Matter Involving Unsecured Genetic Data”

New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations

A recent consent order between the New York State Department of Financial Services (“NYDFS”) and cryptocurrency trading platform, bitFlyer USA (“bitFlyer”), shows that the NYDFS continues to utilize an aggressive enforcement posture with respect to cybersecurity for regulated financial services companies. Notably, the bitFlyer consent order and other recent consent orders demonstrate that NYDFS is no longer waiting for regulated entities to experience a cyber-attack before commencing an enforcement action, and, instead, is using routine examinations to uncover and prosecute companies for failing to comply with the NYDFS’s cybersecurity regulations.

Background

In 2017, the NYDFS promulgated first-of-its-kind regulations establishing cybersecurity requirements for financial services companies. 23 NYCRR Part 500. These regulations were amended once and a proposed second amendment was published in late 2022, with final amendments expected to be adopted sometime later this year.

Continue reading “New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Author: Peter Baldwin