Is New York’s New Cybersecurity Standard Too Broad or Too Cumbersome?

The first-of-its-kind New York State (NYS) Cybersecurity Regulation requires covered companies to notify the NYS Department of Financial Services for “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse” a computer system. Far from clear is what constitutes an “unsuccessful attempt to gain unauthorized access,” whether this effectively means that companies must publicly report each and every attempted hack or attack, no matter the size or operational affect. Further, the NYS regulation appears to go beyond the disclosure requirements of current regulations and laws, including through 10Ks and 8Ks, state data breach laws, Gramm-Leach-Bliley, and HIPAA. The post will explore the current disclosure laws and how they differ from New York’s new proposed regulation.

I. Introduction

In an era where Russia hacked the 2016 United States Election, Yahoo lost one billion customer’s account data, and Ashley Madison’s data breach released a list of would-be adulterers1, the New York Department of Financial Services (DFS) proposed the Financial Services Law on September 13, 2016.2 The proposed regulation imposes cyber security requirements for financial services companies with broad sweeping language and new requirements.3 The proposed cybersecurity requirements for financial services companies includes: establishing a cybersecurity program, adopting a cybersecurity policy, designating a Chief Information Security Officer (“CISO”)4, regulating third-party interactions5, and an abundance of other requirements such as annual penetration testing and vulnerability assessments.6 Although there are numerical and monetary exemptions7, the definition of “cybersecurity event”8 is unnecessarily broad. The DFS conducted extensive surveys prior to releasing the proposed rules, and concluded that many of their requirements are “consistent with existing guidance from other financial industry regulators”, and “reflected in industry best practices.”9

After the survey results and original regulations were proposed, the DFS began taking into consideration over 150 comments received.10 On December 28, 2016 the DFS published a revised proposed cybersecurity regulation, with a new comment period ending January 27, 2017 and proposed effective date of March 1, 2017.11

After the survey results and original regulations were proposed, the DFS began taking into consideration over 150 comments received.12 On December 28, 2016 the DFS published a revised proposed cybersecurity regulation, with a new comment period ending January 27, 2017 and proposed effective date of March 1, 2017.13

II. History of Data Breach Disclosure Requirements

    A. Federal Disclosure Requirements

Gramm- Leach- Bliley Financial Services Modernization Act of 1999 (“GLB Act”)and Sarbanes-Oxley Act of 2002 (“SOX”) requires financial institutions to disclose for the benefit of the investor.14 The primary purpose of the GLB Act was to increase competition of the financial services industry. By eliminating legal barriers, the GLB Act allowed banks, securities firms and insurance companies to merge. The GLB Act also included privacy protection provisions as a counter to merged institutions sharing information. There are three distinct privacy requirements including: the Financial Privacy Rule15, the Safeguards Rule16, and pretexting provisions17. The Financial Privacy Rule requires:

(1) Provide notice to customers about their privacy policies;
(2) Describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and;
(3) Provide a method for customers to prevent a financial institution from disclosing that information to certain nonaffiliated third parties by opting out of that disclosure, subject to various exceptions as stated in the rule.18

The Safeguards Rule requires reasonable policies and procedures for security, confidentiality and integrity of customer information.19 The pretexting provisions actually promulgate rules of conduct20 and provide enforcement rights to seven federal agencies.21

The GLB Act applies disclosure of data breaches including non-public personal information held by covered financial institutions22, but excluding publicly available information.23 The financial institution must disclose their policies to consumers24 at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship….”25 The disclosure must provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution’s policies with respect to- (1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 6802 of this title, including the categories of information that may be disclosed; (2) disclosing nonpublic personal information of persons who have ceased to be.26

Securities Disclosures for Publicly Traded Companiesalso require disclosure of material information.27 In 2011 the Securities and Exchange Commission Division of Corporation Finance released guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents.28 The guidance states that while “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”29 Disclosure of material information30 is required on registration statements by the Securities Act of 1933 and periodic reports under the Securities Act of 1934.31 The Disclosure Guidance implies that unauthorized access to a network for the purpose of misappropriating confidential information can be material information.32

In addition, the SEC has expressed enforcement interest in controls around systems that contain financial reporting data. This theory appears to be based on Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”) and implementing regulations, which generally require publicly-traded companies to maintain a system of internal control over financial reporting (ICFR).33 SEC guidance has stated that the “[m]anagement’s evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity (for example, fraudulent financial reporting, misappropriation of assets and corruption), and whether any such exposure could result in a material misstatement of the financial statements.”34

For the healthcare industry, pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)35, established privacy standards for individual medical information (the Privacy Rule).36 The Privacy Rule applies to health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with transactions covered by the regulations.37 The stated purposes for the regulations include the protection and enhancement of consumers’ rights of access to their health information and the control of the inappropriate use of that information. The Privacy Rule establishes the following: a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and in order to protect patients and to encourage them to seek needed care. The rule seeks to balance the needs of the individual with the needs of society. Breach is defined as the “…acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part [§164.500] which compromises the security or privacy of the protected health information.”38 Written notice must be given to the individual whose information has been, or reasonably believed to have been, disclosed as a result of a breach.39 Notice must also be given to the Federal Government, specifically the Secretary of Health and Human Services.40 Notice is to be provided “without unreasonable delay and in no case later than 60 calendar days after discover of a breach.”41

The Federal Information Security Management Act of 2002 (FISMA)42, requires agencies to develop information security programs to protect all personal data from unauthorized access or disclosure. FISMA requires agencies to conduct privacy impact assessments which examine conformity of agency data handling with applicable laws regarding privacy, the risks and effects of data collection in electronic form, and the possible protections and alternative information handling processes to mitigate privacy risks.43

The Federal Trade Commission (FTC) even has a practice guide to handling data breaches.44 Companies are prohibited by the Federal Trade Commission Act (15 U.S.C. § 45) fromengaging in “unfair or deceptive acts or practices in or affecting commerce.” The Federal TradeCommission has found that a company’s failure to maintain reasonable and appropriate data securityfor consumers’ sensitive personal information is an “unfair practice” in violation of the Federal TradeCommission Act.45

In conclusion, Federal rules and regulations provide protection for, and requires disclosure of material information. Similar to New York’s proposed Financial Services Law, federal laws require cyber security oversight and forethought, but not as expansive as New York. Federal law is more industry-related than consumer-oriented.46

    B. State Laws

California was the first state to adopt a data breach notification statute.47 Now, there are 47 differing state laws regulating notification of security breaches48, varying on triggers for notifications, what is personal information, and who receives notice of data breaches.49 Massachusetts50 is considered the most comprehensive and onerous, as well as the gold standard of data security regulations.51 The Massachusetts Standards broadly applies to “unauthorized access” to or use of personal information.52 But even Massachusetts curtailed the scope by including a risk-based approach, taking into consideration circumstances specific to a particular business.53

III. Implications of the New York Financial Services Law

The proposed Financial Services Law requires a covered entity to “assess its specific risk profile and design a program that addresses its risk in a robust fashion.”54 The board or senior officer(s) of each institution would be responsible for an organization’s cybersecurity program and would be required to file an annual certification with DFS confirming compliance with the regulations. The broad definition of covered entity55, and cybersecurity event56, goes beyond prior federal and state regulations. Although the gold standard state of Massachusetts also uses the terms “unauthorized” and “unsuccessful”, it is only in limited circumstances.57 Additionally, the proposed regulations are “far-ranging in scope, including not only specific technical safeguards but also requirements regarding governance, incident planning, data management and system testing, and an aggressive 72-hour time frame to notify DFS of certain cyber incidents.”58

IV. Conclusion and Possible Solution

In order to minimize compliance costs, the DFS can further define various portions of the Financial Services Law. One such solution would be defining the scope of attempt and unsuccessful.59 By doing so, New York can fall in line with the Massachusetts gold standard, striking the perfect balance between defensive measures and overbearing compliance. More specifically, the New York DFS should limit the scope to large scale attempts, successful or unsuccessful. For instance, the State of New Jersey Garden State Network, a multi-agency data network, receives 1.4 billion malicious attacks per month.60 The notice requirement alone would inundate the New Jersey corresponding agency with compliance related notices. GLB Interagency Guidelines61 blend nicely with traditional duties of care, which look to process and the existence of prudent board and officer behavior within those processes. Similarly, DFS could similarly ensure further compliance by being a more organized source for already established reporting requirements.

In conclusion, the Financial Services Law is well intentioned, follows federal disclosure requirements, but is much broader. The DFS, unintentionally or intentionally, included smaller entities and smaller scale cyber threats, while adding another compliance framework. Regardless of similarity, the Financial Services Law is another list of requirements that each covered entity will need to track.

  1. http://www.pymnts.com/news/security-and-risk/2016/ashley-madison-rebuilds-trust-after-data-breach-hack/
  2. Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Pt. 500 (Sept. 13, 2016), available athttp://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf. (Updated December 28, 2016).
  3.  According to the Verizon 2016 Data Breach Investigations Report, 89% of breaches had a financial or espionage motive. available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
  4. Id. at Pt. 500.04.
  5. Id. at Pt. 500.11.
  6. Id. at Pt. 500.01(i), 500.05. The other requirements also include: 1) Encryption, limitations of retention and access, and disposal of nonpublic information (500.7, .13, .15); 2) Establish a written incident response plan (500.16); and 3) Notice to superintendent within 72 hours from a cybersecurity event (500.17).
  7. Id. at Pt. 500.19
  8. Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. Id. at Pt. 500.01 (d) (emphasis added)
  9. See generally Reports on Cyber Security in the Banking and Insurance Sectors, available at http://www.dfs.ny.gov/reportpub/dfs_reportpub.htm
  10. Ramos, Grechen A. “New York Revamps Proposed Cybersecurity Regulation for Financial Services and Insurance Entities” Nat. L. Rev. (January 3, 2017) available athttp://www.natlawreview.com/article/new-york-revamps-proposed-cybersecurity-regulation-financial-services-and-insurance.
  11. Soleta, Michael B. “DFS Issues Updated Proposed Cybersecurity Regulations” (January 3, 2017) available athttps://www.sullcrom.com/siteFiles/Publications/SC_Publication_DFS_Issues_Updated_Proposed_Cybersecurity_Regulations.pdf (“For example, some commentators noted that ‘data stored on magnetic tapes and commingled data on servers present significant feasibility challenges with respect to any requirement for targeted data destruction.’”(citing Comment Letter from the Securities Industry and Financial Markets Association, American Bankers Association, Financial Services Roundtable, Financial Services Sector Coordinating Council, Mortgage Bankers Association, American Financial Services Association, American Land Title Association and New York Mortgage Bankers Association, dated November 14, 2016, available at http://www.aba.com/Advocacy/commentletters/ Documents/SIFMA-NY-DFS-Proposed-Cyber-Requirements.pdf.)
  12. Ramos, Grechen A. “New York Revamps Proposed Cybersecurity Regulation for Financial Services and Insurance Entities” Nat. L. Rev. (January 3, 2017) available athttp://www.natlawreview.com/article/new-york-revamps-proposed-cybersecurity-regulation-financial-services-and-insurance.
  13. Soleta, Michael B. “DFS Issues Updated Proposed Cybersecurity Regulations” (January 3, 2017) available athttps://www.sullcrom.com/siteFiles/Publications/SC_Publication_DFS_Issues_Updated_Proposed_Cybersecurity_Regulations.pdf (“For example, some commentators noted that ‘data stored on magnetic tapes and commingled data on servers present significant feasibility challenges with respect to any requirement for targeted data destruction.’”(citing Comment Letter from the Securities Industry and Financial Markets Association, American Bankers Association, Financial Services Roundtable, Financial Services Sector Coordinating Council, Mortgage Bankers Association, American Financial Services Association, American Land Title Association and New York Mortgage Bankers Association, dated November 14, 2016, available at http://www.aba.com/Advocacy/commentletters/ Documents/SIFMA-NY-DFS-Proposed-Cyber-Requirements.pdf.)
  14. 15 U.S.C. § 6801, et seq. (Covered entities: “[F]inancial institution[s].” (§ 6801(a))
  15. The Financial Privacy Rule; 16 C.F.R. § 313.
  16. The Safeguards Rule; 16 C.F.R. § 314.
  17. See Gramm-Leach-Bliley Act; 15 U.S.C. §§ 6821-6827.
  18. 16 C.F.R. § 313.1
  19. 16 C.F.R. § 314.
  20. Such as prohibiting false representations to employees of a financial institution. 15 U.S.C. §§ 6821(a).
  21. 15 U.S.C. § 6825. See also, 12 U.S.C. § 1813(z)
  22. “[P]ersonally identifiable financial information– (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.” Id. at (§6809(4))
  23. Id. at (§6809(4)(B)). There is also an opt-out provision. See Id. at (§6802(b)). Additionally, there are specific limitations on sharing an account number for marketing purposes. See Id. at (§6802(d)).
  24. Id. At (§6809(9)).
  25. Id. at (§6803(a)).
  26. Id. at (§6803(a)). Information provided includes“(1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 6802 of this title, and including (A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to [the general exceptions in] section 6802(e) of this title; and (B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution; (2) the categories of nonpublic personal information that are collected by the financial institution; (3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 6801 of this title; and (4) the disclosures required, if any, under section 1681a(d)(2)(A)(iii) of this title.” Id. at (§6803(c)).
  27. See, e.g., Identity Theft Red Flag Rules, Investment Advisers Act Release No. 3582 (Apr. 10, 2013), available at www.sec.gov/rules/final/2013/34-69359.pdf; Privacy of Consumer Financial Information (Regulation S-P), Investment Advisers Act Release No. 1883 (June 22, 2000), available at http://www.sec.gov/rules/final/34-42974. htm. In formulating or reviewing their compliance programs, firms may also wish to consider, as appropriate, addressing the protection of commercial or marketsensitive information, the disclosure of which could adversely affect customers’ interests. See generally Information for Newly-Registered Investment Advisers, SEC Staff Information Sheet, available at http://www.sec.gov/divisions/investment/ advoverview.htm (last modified Nov. 23, 2010).
  28. CF Disclosure Guidance: Topic No. 2- Div. of Corp. Fin., U.S. Sec. & Exch. Comm’n, Cybersecurity (October 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
  29. Id.
  30. Id. (“In order to maintain the accuracy and completeness of information in effective shelf registration statements, registrants may also need to consider whether it is necessary to file reports on Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents.”). See also Form 8-k, Securities and Exchange Commission, available at http://www.sec.gov/about/forms/form8-k.pdf. (“Unless otherwise specified, a report is to be filed or furnished within four business days after occurrence of the event. If the event occurs on a Saturday, Sunday or holiday on which the Commission is not open for business, then the four business day period shall begin to run on, and include, the first business day thereafter.”)
  31. The Laws That Govern the Securities Industry, U.S. Sec. & Exchange Commission, http://www.sec.gov/about/laws.shtml (last visited Dec. 30, 2016). Under Securities Act Rule 408, information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available. See Basic Inc. v. Levinson, 485 U.S. 224 (1988). In a company’s annual report there is a Management Discussion and Analysis (MD&A) section which provides an overview of company operations and financial performance. The MD&A also requires material information disclosure, including cybersecurity risks and systems.
  32. CF Disclosure Guidance: Topic No. 2- Div. of Corp. Fin., U.S. Sec. & Exch. Comm’n, Cybersecurity (October 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. The following information must be reported to the SEC, if the company deems it to be material:Harm to a company’s products, services, relationships with customers or suppliers, or competitiveness caused by a cyber incident;Litigation arising from a cyber incident;Substantial impact from cyber incidents reflected in the company’s financial statements;Costs to prevent cyber incidents;Incentives to customers harmed by cyber incidents; possible or actual losses due to claims for breach of warranty or contract, product recall or replacement, or indemnification;Estimated diminished future cash flows; and the effectiveness of the information and reporting system to disclose cyber incidents.
  33. 15 U.S.C. § 7262; 17 C.F.R. §§ 240.13a-14, 240.13a-15, 229.308, 229.601(31)(i).
  34. Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release No. 33-8810 at 14 (Jun. 27, 2007).
  35. 45 CFR §§ 160.103, 164.400-414, 42 USC §1320d, et seq.
  36. Health Insurance Portability and Accountability Act of 1996, 42 USC § 1320d (2012); see also The HIPAA Privacy Rule, U.S. Dep’t of Health & Human Servs., http://www.hhs.gov/hipaa/for-professionals/ privacy/ [https://perma.cc/7TW3-T2XB] (“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”).
  37. 45 C.F.R. § 164.104 (2006).“‘Protected health information’* means individually identifiable health information:** (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in: (i) Education records… (iii) Employment records held by a covered entity in its role as employer”. (§160.103)
  38. Id. at §164.402.Breach excludes: “unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity… in good faith and within the scope of authority and does not result in further use…” Id. at §164.402(1).
  39. Id. at §164.404(a)(1). First-class mail to the individual is required, unless there is an electronic notice agreement.
  40. Id. at § 164.404(a)(2). There is also a threshold of 500 individuals to including additional disclosures.
  41. Id. at §164.404(b)
  42. Title III of the E-Government Act (codified at 44 U.S.C. 3541-49 (Supp. II 2002))
  43. Section 208 of the E-Government Act (codified at 44 U.S.C. 3501 note (Supp. II 2002))
  44. Federal Trade Commission, “Data Breach Response: A Guide for Business” available athttps://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf
  45. FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 607 (D.N.J. 2014) (Under Section 5(a)).
  46. Rachael M. Peters, Note, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L. Rev. 1171, 1181(2014).
  47. Cal. Civ. Code §§ 1798.29, 1798.82, 1798.84 (2003).
  48. Alabama, New Mexico, and South Dakota are the only states that did not have data breach laws as of December 2015. See 2015 Security Breach Legislation, Nat’l Conference of State Legislatures (Dec. 31, 2015), http://www.ncsl.org/research/telecommunications-and-information-technology/2015-security-breach-legislation.aspx#2015 [https://perma.cc/ 7ZAU-K3BM];see alsoPeters, Note, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L. Rev. at 1181& n.71.See generallyArkansas: Ark. Code Ann. § 4-110-104(b), California:Cal. Civ. Code § 1798.81.5, Connecticut:Conn. Pub. Act No. 08-167, Maryland: Md. Code Ann. § 14-3503, Massachusetts: 201 Mass. Code Regs. § 17, Nevada:Nev. Rev. Stat. § 603A.210, Oregon: Ore. Rev. Stat. § 646A.622, Rhode Island: R.I. Gen. L. 11-49.2-2(2) and (3), Texas:Tex. Bus. & Com. Code Ann. § 521.052, Utah:Utah Code Ann. § 13-44-20.
  49. Kennedy, A Primer on Key Information Security Laws in the United States, in Gilbert, et al., Ninth Annual Institute on Privacy and Security Law, No. G-934, p. 181 (PLI/Corp. June-July 2008).
  50. 201 Mass. Code Regs. § 17.00 et. Seq. (2009).
  51. 201 Mass. Code Regs. § 17.00 et. Seq. (2009).
  52. Id.
  53. Id.
  54. Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Pt. 500 (Sept. 13, 2016), available at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf. (Updated December 28, 2016).
  55. “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” Id. at 2, 23 NYCRR Pt. 500.01(c).
  56. “Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” Id. at 2, 23 NYCRR Pt. 500.01(d).
  57. 201 Mass. Code Regs. § 17.04 (2009) (Including unsuccessful log-in attempts, if technically feasible).
  58. Dinallo, Eric R. Client Update, page 5 available athttp://www.debevoise.com/~/media/files/insights/publications/2016/09/20160915anew%20yorksproposedcyberregulationsimplicationsandchallenges.pdf.(emphasis added) (Notice requirement).
  59. Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. Id. at Pt. 500.01 (d) (emphasis added)
  60. Senator Cory Booker, Members of New Jersey Congressional Delegation Call for Increased Security Funding to Guard Against Cyber Threats, Increase Port Security, Press Release (July 6, 2016) available athttps://www.booker.senate.gov/?p=press_release&id=449.
  61. 66 Fed. Reg. 8616 (Feb. 1, 2001) and 69 Fed. Reg. 77610 (Dec. 28, 2004) promulgating and amending 12 C.F.R. Part 30, app. B (OCC); 12 C.F.R. Part 208, app. D-2 and Part 225, app. F (Board); 12 C.F.R. Part 364, app. B (FDIC); and 12 C.F.R. Part 570, app. B (OTS).

Author: Jacob G. Shulman

Jacob Shulman is originally from central New Jersey, but has spent a significant period of his life near Chicago, Illinois. Jacob is a third year student at Rutgers Law School and received his undergraduate education from Rutgers University- New Brunswick. Jacob graduated with a bachelor's degree in political science, with a minor in economics and an Undergraduate Associate certificate from the Eagleton Institute of Politics in 2015. During the past few years, Mr. Shulman, has worked for multiple law firms in New York and New Jersey, focusing on assisting attorneys who represent mid-size and large business entities. Jacob has also worked in securities compliance as a law clerk for a broker-dealer. Jacob will be published in the upcoming volume of the Rutgers Computer and Technology Law Journal for his work in financial technology ("FinTech"). Additionally, Jacob has written about corporate governance issues, cybersecurity, and blockchain. He enjoys giving back to the community and has done so by being a member of Mt. Zion Lodge #135 of Free and Accepted Masons, various alumni groups, and the Highland Park Human Relations Commission. Jacob has had exposure to a myriad of legal and policy related internships and jobs. At the law school, Jacob was involved as the Career Services Chairman of the Student Bar Association (SBA), and served as the President of the Jewish Law Students Association (JLSA). As the Career Services Chairman, Jacob organized one of the largest judicial receptions at the law school. Jacob is a 2017-2018 Governor's Executive Fellow through the Eagleton Institute of Politics and a Business Law Fellow in the Rutgers Center for Corporate Law and Governance. His hobbies include rescuing and fostering dogs and being involved in the community.