New York’s Department of Financial Services has a hidden superpower: it can use the cybersecurity laws of other states for enforcement, thanks to a broadly worded rule for breach notification. NYDFS recently highlighted its far-reaching authority in two consent orders, while imposing $4.5 million in penalties. These settlements also showcase the wide array of regulatory trouble that modest phishing exploits can cause for banks, insurers and other NYDFS licensees. We discuss New York’s expansive breach obligations, the perils of a pioneering punishment and the top compliance implications of both settlements with enforcement specialists from Alston & Bird, Hogan Lovells and Lowenstein Sandler. See “Six Compliance Lessons From NYDFS’ First Cybersecurity Regulation Enforcement Action” (Aug. 12, 2020).