Matthew L. Levine

NYDFS Issues Cybersecurity Alert Concerning SolarWinds Hack

by

On December 18, 2020, NYDFS issued a supply chain compromise alert arising out of the SolarWinds hack. Some hot takes on Friday’s NYDFS guidance :
– If a regulated entity has been affected by the hack either directly, or indirectly through an affiliate or third party service provider, the entity should give notice to NYDFS right away – err on the side of disclosure
– NYDFS considers notice essential to understanding the full scope of the attack
– NYDFS will use this information to formulate a supervisory response that seeks to assist affected institutions and prevent further damage – the transparency necessary for an effective government response
– This is not a “gotcha” moment, but an opportunity for NYDFS to marshal resources to assist firms in responding to the attack and coordinate a response with other government agencies (FBI; DHS; etc.)
– Coincidence? On the same day NYDFS issued this specific guidance around its established cybersecurity regulation, federal banking regulators noticed a proposed rulemaking for the first time that requires notification to an entity’s principal federal regulator of a “computer-security incident.”

The guidance may be found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20201218_supply_chain_compromise_alert

NYDFS Enforcement Action Against AIG Insurance Subsidiary for Unlicensed Activity

by

NYDFS yesterday announced a settlement with an AIG subsidiary for engaging in the pension risk transfer business in New York without being licensed. The AIG subsidiary will pay a $12 million penalty – substantial for insurance penalties in NY– and transfer the business line to an AIG subsidiary licensed by NYDFS. Hot takes:
– This is the second settlement in an industry-wide investigation. The first was with Athene Holding Ltd. last year, which involved a $45 million penalty.
– The Consent Order notes the agency’s position that each instance of unlicensed solicitation, negotiation, or sale of insurance by an unauthorized insurer or of an improper policy is a separate violation of the Insurance Law. So sending and receiving hundreds or thousands of emails in an unlicensed business can quickly run up the penalty number.
– NYDFS maintains its long-term focus on penalizing financial companies that conduct business in New York without the necessary license; this is construed as an unfair competitive advantage by the regulator. 

The Consent Order may be found here: https://www.dfs.ny.gov/system/files/documents/2021/01/ea20210201_aig.pdf

 

NYDFS Uses New Powers to Investigate Alleged Price Spikes in COVID-19 Medicines, Targeting Non-Licensees

by

Continuing its focus on consumer protection enforcement, the New York State Department of Financial Services (“DFS”) announced an investigation into alleged price spikes for six drugs connected to treatments of COVID-19 medical conditions.[1]  According to DFS, its newly-formed Office of Pharmacy Benefits (“OPB”) commenced the investigations under Insurance Law § 111 into what it characterizes as “anomalously large spikes” in the prices of the six drugs, occurring since the onset of the COVID-19 pandemic.  These medications are Ascor, Budesonide, Dexonto, Mytesi, Duramorph and Chloroquine phosphate, each of which has some actual or claimed therapeutic use for COVID-19 conditions. More detail on this investigation can be found on my blog post for the NYU Program on Corporate Compliance and Enforcement, here:

New York State Department of Financial Services (“DFS”) Uses New Powers to Investigate Alleged Price Spikes in COVID-19 Medicines, Where Targeted Pharma Manufacturers Are Not DFS Licensees

 

NYDFS Issues Guidance Concerning Cybersecurity Threats to Nonpublic Information

by

 A key objective of NYDFS Regulation Part 500 is to permit the agency to share information it receives from its 72-hour notification provision with all regulated entities. This can help protect all entities from a cyber threat identified initially at some entities; NYDFS regulates over 3500 entities with approximately $7 trillion in assets. This recent … Read more

NYDFS Issues Findings Concerning Facebook Data Privacy Deficiencies

by

NYDFS issued a report last week concerning Facebook data privacy deficiencies, following a WSJ report that Facebook received sensitive user data from some popular apps, including a fertility-tracking app named “Flo,” for use in Facebook’s analytics tool.
– Facebook’s subsidiary, Facebook Payments Inc., is licensed as a money transmitter but the report found Facebook Payments “had no involvement in the privacy issues examined.” Since Facebook, the parent, indicated its willingness to cooperate “fully” the parties sought to avoid any clash about jurisdictional issues.
– NYDFS found that, while Facebook had taken steps to remediate, such as building a screening tool that would reject sensitive health information, it failed to “engage fully” with respect to other remediation proposals, and its effort to enforce its own policies against collection of sensitive data was “seriously lacking.”
– In January 2021, the Federal Trade Commission reached a proposed settlement with “Flo,” the fertility tracking app, requiring it to keep promises about user privacy.
– NYDFS argues this is another incident demonstrating the need for greater regulation on the federal and state level.

The NYDFS report can be found here: https://www.dfs.ny.gov/system/files/documents/2021/02/facebook_report_20210218.pdf

The proposed Consent Order and Complaint for the Flo Health matter can be found here: https://www.ftc.gov/enforcement/cases-proceedings/1923133/flo-health-inc

 

NYDFS Issues Its Second Cybersecurity Enforcement Action

by

NYDFS Cybersecurity Enforcement Action No. 2 — this time from a routine examination. Agency examiners identified significant non-compliance with the Cybersecurity Regulation by a mortgage banker, Residential Mortgage Services Inc.
– An employee handling sensitive customer information fell victim to a phishing scam in 2019
– The company failed to report the breach to NYDFS within 72 hours as required
– Indeed, it only reported it for the first time during an examination in mid-2020
– The company also failed to conduct a “comprehensive” cybersecurity risk assessment in 2019 as required
– Yet its CISO certified in April 2020 that the firm was in full compliance with the regulation
– The company will pay a $1.5 MM penalty and remediate
– Important: the penalty is assessed under the Banking Law for unsafe/unsound conduct — not the Financial Services Law.

Link to the Consent Order can be found here: https://www.dfs.ny.gov/system/files/documents/2021/03/ea20210303_residential_mortgage_0.pdf

NYDFS Issues Cybersecurity Alert to Regulated Entities

by

On March 9, 2021 NYDFS issued another cybersecurity alert to regulated entities. It disclosed that in recent days thousands of organizations were compromised via zero-day (newly discovered) vulnerabilities in the Microsoft Exchange Server. Microsoft made patches available for these vulnerabilities on March 2 but many organizations apparently were compromised before the patches were either available or applied. NYDFS is urging all regulated entities with vulnerable Microsoft Exchange services to act immediately by patching or disconnecting vulnerable servers. CISA has also released a current activity update outlining how to search for the type of compromise identified.

The alert may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103092

A View from the Inside: A Guide to CFPB Investigations

by

Part I of a two part article I co-authored with with Tony Alexis and Kyle Tayman of Goodwin, Procter & Hoar, LLP concerning how Federal agencies, including the CFPB, are expected to ramp up enforcement under the new administration. I am fortunate to have the opportunity to co-author this article  concerning navigation of CFPB investigations and how they relate to NYDFS investigations. Stay tuned for Part II of the article — NYDFS investigations, coming soon.

Part One of the two part series can be found here:  Alexis_Levine_Tayman_RBFS_Final — Part One

NYDFS Issues Fair Lending Report on Goldman Sachs Apple Card

by

A lengthy declination letter: What happens when a regulator conducts an investigation and finds no wrongdoing? For its fair lending inquiry of Goldman Sachs co-branded credit card, the Apple Card, NYDFS issued a report on March 23, 2021 that resembles a lengthy declination letter. The report makes clear after “exhaustive review of documentation and data” NYDFS failed to uncover “evidence of deliberate or disparate impact discrimination.” Other notes:
– The investigation commenced following a viral Tweet from a tech entrepreneur alleging his wife received less favorable terms under the Apple Card.
– Tweets and other social media are increasingly visible sources for investigations (worthy or not)
– NYDFS undertook a massive statistical analysis as part of its investigation, finding no wrongdoing
– Goldman Sachs offered strong cooperation and a consumer-oriented program to assist people with inadequate credit ratings to improve their credit, a program it called “Path to Apple Card”
– 70,000 consumers enrolled in “Path to Apple Card” and about 5,000 of them have been approved for an Apple Card
– The report contains valuable guidance on the agency’s current thinking on fair lending

The report is here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103231