December 2022 in Brief: Internet Law & Cyber-Security

NY Department of Financial Services Proposes Amendments to Cybersecurity Requirements for Financial Services Companies

By Alan S. Wernick, Esq., Aronberg Goldgehn

The New York Department of Financial Services (“DFS”) “Cybersecurity Requirements for Financial Services Companies” (“CRFSC”) (23 NYCRR 500) (“Part 500”), effective March 1, 2017, are set for an update in early 2023. In November 2022 DFS announced its proposed amended regulations to Part 500 (see, “DFS Superintendent Adrienne A. Harris Announces Updated Cybersecurity Regulation” available at https://on.ny.gov/3I2warw). DFS Superintendent Harris is quoted as saying, “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm. Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”

Some of the Part 500 proposed amendments include:

• Enhanced accountability and corporate governance requirements for boards of directors and C-suite executives.
• Increased requirements for businesses to invest in periodic (but at a minimum annual) cybersecurity awareness and training (including social engineering exercises).
• A requirement to develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of the covered entity’s cybersecurity program.
• Clarifications concerning use of unauthorized access controls including multi-factor authentication.

When the comment period ends in early 2023, DFS will review received comments and either propose a revised version or adopt the final regulation as amended. Businesses and their privacy/cybersecurity law counsel should review the proposed Part 500 amendments to determine their impact on businesses’ risk surface.

© 2022 Alan S. Wernick and Aronberg Goldgehn.

Delaware Adopts Revised Uniform Law on Notarial Acts

By Aja Finger, J.D. Candidate, Class of 2024, Howard University School of Law

On September 9, 2022 the governor of Delaware, John Carney, signed Senate Bill 262 adopting the Uniform Law Commission’s (ULC) Revised Uniform Law on Notarial Acts. The law amends various provisions under Titles 20 and 29 of the Delaware Code. Most notably, in response to the residual effects of the COVID-19 pandemic, the amendments permit notarial acts to be performed remotely.

Senate Bill 262 specifically provides that notaries in Delaware may use communication technology to perform remote notarial acts if the officer (a) knows the individual personally, (b) can identify the remotely located individual by oath or affirmation from a credible witness, or (c) can identify the remotely located individual by two approved forms of identification. The notary is required to create an audiovisual recording of the notarization, which must be retained for at least ten years. Moreover, the notary must be able to reasonably confirm that the record before them is the same record as the one in which the remotely located individual made a statement or executed a signature. To ensure that the notary and the remotely located individual are viewing the same record, the remotely located individual must (1) sign the record during the audiovisual recording, (2) make a written declaration under penalty of perjury that is part of or securely attached to the record, and (3) send the record and declaration to the notary within three days. Once the notary receives the tangible record and declaration, they must complete a notarial certificate stating, “I (name of the notary) witnessed, by means of communication technology, (name of remotely located individual) sign the attached record and declaration on (date).”

Furthermore, the amendments authorize a notary located in Delaware to use communication technology to perform a notarial act for a remotely located individual outside of the United States so long as the act of making the statement or signing the record is not prohibited by the foreign state in which the remotely located individual is located. Where the individual is located outside of the United States, the record must be filed with or related to a matter before a public official or court, government entity, or another entity subject to the United States’ jurisdiction. Alternatively, remote notarization is also permitted for records that involve property located within United States territory or transactions substantially connected with the United States.

Delaware is the latest state, and the thirtieth jurisdiction, to enact the Revised Uniform Law on Notarial Acts. Additionally, it is the forty-fourth state to approve remote notarization protocols. The bill takes effect on August 1, 2023. Until then, notarial officials should anticipate rulemaking by the Secretary of State to implement Senate Bill 262.