USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields
security requirements, including implementing a written information security programme. This written information security programme must include risk assessments, access controls, data inventories, encryption, multifactor authentica - tion, logging of access to customer informa - tion, regular monitoring and testing, training, and assessments of third-party service provid - ers. The Safeguards Rule also requires covered financial institutions to designate an individual with responsibility for the programme, who must report in writing to the board at least annually. The Safeguards Rule also requires financial insti - tutions to notify the FTC of security breaches involving unauthorised acquisition of at least 500 consumers’ unencrypted information, no later than 30 days after discovering such event. HIPAA is the primary law that regulates data pri - vacy and security for healthcare providers (see 6.3 Cybersecurity and the Healthcare Sector for more detail). Additionally, the SEC’s Regulation S-P (“Reg S-P”) requires broker-dealers, investment com - panies, and registered investment advisers to provide notices about privacy practices, institute written policies and procedures that safeguard customer information, securely dispose of con - sumer report information, and adequately over - see third-party service providers. Reg S-P was recently amended to require covered entities to implement an incident response plan and pro - vide data breach notifications to affected individ - uals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorisation. State-Level Data Protection Regulation Many states have passed comprehensive data privacy laws that also include cybersecurity requirements. Typically, these state laws require
covered entities to implement reasonable secu - rity measures to protect consumer personal data. The California Consumer Privacy Act includes a private right of action for consum - ers whose unencrypted personal information is subject to a breach of security due to the failure of the business to implement reasonable secu - rity measures. Additionally, in November 2024, the California Privacy Protection Agency (CPPA) released a proposed rule that would require cov - ered businesses to conduct annual independent cybersecurity audits, present the results of the audit to senior executives at the business, and submit a certification of the audit to the CPPA. 6.2 Cybersecurity and AI AI regulation is still nascent, but some govern - ment entities are starting to address the cyberse - curity implications of AI. Although Congress has not passed any comprehensive AI bill to date, there have been Presidential executive orders on AI and cybersecurity. During the Biden admin - istration, President Biden issued an executive order directing federal entities to implement guidance related to safety and security in the deployment of AI. In November 2024, the DHS released a voluntary framework for how to safely and securely deploy AI in critical infrastructure. However, on his first day in office in 2025, Presi - dent Trump revoked former President Biden’s executive order that had established initiatives related to the safe deployment of AI. President Trump has since issued two new executive orders on AI, which do not focus on cybersecu - rity, safety or accountability measures. At the state level, the NYDFS’s 23 New York Codes, Rules and Regulations (NYCRR) 500 (“Part 500”) includes prescriptive requirements for covered financial services companies to implement cybersecurity safeguards, such as implementing multifactor authentication. In
356 CHAMBERS.COM
Powered by FlippingBook