Barrie VanBrackle, a partner in Orrick’s Washington, D.C.,
office, is a member of the Cyber,
Privacy & Data Innovation practice. An authority on payments
and consumer financial services compliance, Barrie co-leads Orrick’s Fintech
Her practice focuses on three areas at the cross-section of
the fintech space: consumer-facing financial and banking regulatory counseling
and investigations, payment card industry (PCI) and brand operating rules
(including PCI Data Security Standards), and strategic transactions and deals
on behalf of leading merchants, payment processors and industry vendors. In addition, Barrie has deep experience
advising corporate and private equity clients in M&A contexts and other
investments in fintech.
Barrie is a sought after speaker on the evolving regulatory and compliance issues surrounding payments and related e-commerce matters. Prior to joining Orrick, Barrie was a partner at Manatt, Phelps & Phillips LLP.
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions. The regulations go final after a 45-day notice and public comment period. At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date. Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt.. In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.
On July 29, 2016, the Southern District of New York, in Meyer v. Kalanick, refused to enforce mandatory arbitration and jury waiver provisions against a putative class of Uber consumers. In a lengthy and strongly worded decision by Judge Rakoff, the Court held that consumers had not received sufficient notice of, and did not assent to, the online terms of service that contained the arbitration and waiver clauses at issue.
Every company that seeks to implement contractual commitments through online terms and policies should pay close attention to this decision. While not binding in other jurisdictions outside the SDNY, Meyer reflects a growing trend of more exacting judicial scrutiny on the enforceability of online agreements across the country, and represents an important development in a rapidly developing area of the law.