Controversial New York Cybersecurity Regulations Revised
After receiving extensive comments to the cybersecurity regulations originally proposed in September 2016 (the “Original Proposal”), the New York Department of Financial Services (“DFS”) published revisions to the Original Proposal (the “Revised Regulations”) on December 28, 2016. While the Revised Regulations provide some relief from the stringent requirements contained in the Original Proposal, the Revised Regulations remain broad in their application and extensive in their mandates. For more information on the Original Proposal, please see our past alert here.
A key aspect of the Revised Regulations is recognizing that Covered Entities’ risk profiles are not “one size fits all”. As such, Covered Entities are required to undertake a Risk Assessment, and then to develop and implement policies and procedures to address the risks identified through the Risk Assessment Process. Other notable revisions address: (i) redefining the definition of Nonpublic Information and expanding the source of Nonpublic Information (beyond the individual in question), (ii) defining Third Party Service Providers and eliminating the obligation to audit a Third Party Service Provider (but still requiring a Covered Entity to vet any such provider’s security practices), (iii) changing the requirements for reporting “Cybersecurity Events,” (iv) changing the requirement for “annual risk assessments” to “periodic” assessments, (v) eliminating the mandate for encryption, but requiring compensating measures where encryption technology is not used, and (vi) modifying the exemptions from what would otherwise be a “Covered Entity”. The new “Effective Date” is March 1, 2017.
The Revised Regulations:
- Redefine the exemptions to exclude from otherwise “Covered Entities” those with:
- fewer than 10 employees including any independent contractors, or1
- less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or
- less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.
- Refine and narrow what constitutes “Nonpublic Information” to now include:
- any information that because of name, number, personal mark, or other identifier can be used to identify an individual in combination with any one of the following: (i) social security number; (ii) driver’s license or other non-driver identification card number; (iii) account or credit card number; (iv) any security or access code or password permitting access to an individual’s financial records; or (v) biometric records.
- Expand the definition of nonpublic information in relation to the manner in which such information is obtained. The Revised Regulations now defines Nonpublic Information to mean any of the foregoing information “concerning an individual” regardless of whether information is provided by the subject individual to the Covered Entity, or is collected or received from third party sources (excluding only Publicly Available Information).
- Limit the Cybersecurity Events which must be reported within 72 hours to those
- “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory board” and those “that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” Note that DFS declined to revise the broad definition of a Cybersecurity Event in the Original Proposal.
- Provide that a Covered Entity’s cybersecurity program and written cybersecurity policy to protect Nonpublic Information shall be based on the individualized Risk Assessments performed periodically (as opposed to annually in the Original Proposal) by each Covered Entity related to that Covered Entity’s cybersecurity, information systems, and Nonpublic Information, thereby allowing for greater flexibility (and perhaps less clear direction) in the cybersecurity programs and policies to be adopted by the Covered Entities.
- Defining “Third Party Service Provider” to be
- “a Person that (i) is not an affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.”
- Eliminate the requirement that Covered Entities audit their Third Party Service Providers; however, Covered Entities are still required to implement written policies based on their Risk Assessments that must address:
- (i) the identification and risk assessment of Third Party Service Providers; (ii) minimum cybersecurity practices required to be met by Third Party Service Providers; (iii) due diligence processes to evaluate the adequacy of those practices; (iv) periodic assessment of the risk presented by the Third Party Service Providers and the adequacy of their cybersecurity practices; and (iv) guidelines and contractual protections relating to Third Party Service Providers, including guidelines relating to the Third Party Service Provider’s cybersecurity practices, their use of encryption of Nonpublic Information and their reporting of Cybersecurity Events to the Covered Entity.
The Revised Regulations are now scheduled to be finalized following a thirty (30) day comment period ending on January 27, 2017. However, DFS has made clear that it “will focus its final review on any new comments that were not previously raised in the original comment process,” suggesting any further revisions will be minimal, and regulation topics on which DFS has already received input are not likely to be “softened” or scaled back further in their application.
The Revised Regulations create a staggered implementation timeframe. Covered Entities will have 180 days from the Effective Date to comply, with certain additional periods of either 12, 18, or 24 months for compliance relating to certain specified provisions of the Revised Regulations.
Even with the revisions, the Revised Regulations will likely create significant expense for those Covered Entities and Third-Party Service Providers that are required to comply.
1 The Original Proposal required that any entity seeking exemption meet all three criteria to be exempt, rather than meeting any one of the exemption categories. Also, the Original Proposal excluded entities with “fewer than 1000 customers” rather than focusing on the number of employees.