Paul Greene

November 09, 2020 | New York Law Journal

Organizations are best served by preparing in advance and honing the appropriate legal tools for use in a ransomware attack before the attack occurs. Planning for a ransomware event will always be imperfect, but failing to prepare could be catastrophic.

By Paul Greene and Daniel J. Altieri

8 minute read

March 31, 2020 | New York Law Journal

A hallmark of U.S. administrative law is that policy decisions are made by the Legislature, with gaps filled in via regulation. Administrative agencies are given discretion and courts show special deference to an agency's area of expertise. In the arena of data protection, this separation of powers is being put to the test and causing confusion for businesses seeking to comply with data protection duties.

By F. Paul Greene

8 minute read

November 25, 2019 | New York Law Journal

It has always been a "happy incident" of our federal system that a "courageous State" may "try novel social and economic experiments without risk to the rest of the country." In relation to data protection laws, however, this has led to an unintended and potentially unworkable level of complexity on the national level.

By F. Paul Greene

8 minute read

July 26, 2019 | New York Law Journal

New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require.

By F. Paul Greene

8 minute read

August 03, 2018 | New York Law Journal

The 11th Circuit found the order fatally lacking in detail, noting that it effectively left it up to the District Court to determine whether LabMD's activities to secure patient data for the next 20 years were “reasonable.”

By F. Paul Greene and Daniel J. Altieri

1 minute read

April 12, 2018 | FC&S Insurance

The cybersecurity regulations from the New York State Department of Financial Services (DFS) that went into effect on March 1, 2017 have had wide-reaching…

By F. Paul Greene

7 minute read

March 28, 2018 | New York Law Journal

These new FAQs, and the FAQs issued previously, help clarify areas of uncertainty under Part 500. The problem with the FAQs, however, is that they are non-binding and can be changed at will, however unlikely an abrupt or material change from DFS may be.

By F. Paul Greene

7 minute read

September 13, 2017 | New York Law Journal

F. Paul Greene

By F. Paul Greene discusses the recent Equifax breach, including topics such as what is a breached organization's duty to notify its customers, and the role of risk assessment. He further explores what comes next.

16 minute read

August 25, 2017 | New York Law Journal

F. Paul Greene writes: The day has finally arrived for the financial services industry in New York. The new cybersecurity regulations issued by the New York State Department of Financial Services are officially in force, and for the first time, a single state is regulating cybersecurity on a potentially global scale, and it has done so via the regulatory process, not legislative action.

By F. Paul Greene

16 minute read

February 28, 2017 | New York Law Journal

F. Paul Greene of Harter Secrest & Emery writes: It has been a wild ride for the banking, insurance, and financial services industries in New York over the past five months. But now the New York State Department of Financial Services has released the final version of its cybersecurity regulations, maintaining its new risk-adjusted approach. Important questions concerning the scope and effect of the regulations remain, however.

By F. Paul Greene

16 minute read