Aravind Swaminathan, global co-chair of Orrick’s Cybersecurity & Data Privacy team, recently spoke with Global Investigations Review regarding new plans proposed by New York’s Department of Financial Services that will require financial institutions to report cybersecurity breaches within 72 hours. These new regulations, if adopted, will go into effect January 1, 2017.
According to Aravind, “These are sophisticated regulators, and so we expect that they will understand you can’t have all the facts in 72 hours; it’s just not reasonable or frankly possible. I think they’ll be looking for early notification and an early assessment of what has happened. The key is conducting your investigation in that timeframe to get as much of the information as they are going to want to know.”
He also noted, “When you’re trying to prove negligence, it’s hard to do when there is no clear established standard of care to point to. But where there are requirements mandated by a rule or regulation, those requirements operate as a de facto standard; when companies don’t adhere to them, it makes it easy for plaintiffs to bring a case.”
Aravind added that the rules will require companies to have a much clearer understanding of where their data is held, and how to access it in the event of a breach.
Until 2013, Aravind was an Assistant United States Attorney for the Western District of Washington, where he served as one of the district's Computer Hacking and Intellectual Property Section attorneys. He led the United States Attorney's Office cybercrime outreach program for the Western District of Washington, where he worked with members of the Department of Justice, regulators, law enforcement and other organizations on cybersecurity and related privacy issues. As a prosecutor, Aravind investigated and prosecuted a broad array of cybercrime cases including ones involving hacking, phishing, theft of trade secrets, click fraud, cyber threats, and identity theft.