New York Cybersecurity Regulations Delayed
Following significant criticism, New York’s Department of Financial Services (“NYDFS”) has determined to delay issuing its controversial cybersecurity regulations which were set to become effective as of January 1, 2017. NYDFS will instead release a revised draft of the proposed regulations on December 28, 2016, with a 30-day public comment period commencing thereafter. NYDFS has not provided any insight as to what changes will be reflected in the new draft, but the financial services industry voiced concern that: (i) the “one size fits all” approach of the regulations would prove too costly for small companies; (ii) the regulations reached well beyond New York and were unclear as to the extent out-of-state entities would be required to comply with the regulations’ mandates; and (iii) the broad definition of a reportable data security incident, which encompassed unsuccessful attempts at access, placed an undue burden on companies to report. The anticipated new effective date for the revised regulations will be March 1, 2017.
We will provide through a follow up alert a summary of the revised, proposed regulations after the New Year.
For more information on the proposed regulations issued in October 2016, please see our past alert here.
UPDATE: The New York cybersecurity regulations have been revised; please see our January 2017 alert here.