Pending NY State Proposed Cybersecurity Requirements for “Covered Entities”
At present, banking and financial institutions are subject to the requirements of certain federal statutes and regulations relating to privacy and security matters, including the Gramm-Leach-Bliley Act, FINRA regulations, and certain regulations that impact publicly traded entities. While 47 different states have, to date, adopted 47 different breach notification statutes, with few exceptions, individual states have not adopted broad cybersecurity mandates.
Now, the New York State Department of Financial Services (“NYDFS”) has proposed cybersecurity regulations (the “Proposed Regulations”) is seeking to impose at the state level privacy and cybersecurity mandates for an expanded class of “covered entities” for the protection of “Nonpublic Information,” including business related information; individuals’ information provided in connection with financial products and services; physical, mental or behavioral health information about a person or his/her family and household members; and any information that can be used to distinguish or trace an individual’s identity.1
Under the Proposed Regulations, a “Covered Entity” includes any Person2 operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law. There are very limited exceptions to this definition.3
The Proposed Regulations, if adopted, will require Covered Entities to establish and maintain a robust, documented cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems4 to protect and secure Nonpublic Information. Each Covered Entity will be required to assess its assets, identify risks, and adopt risk-mitigating technologies, policies and procedures, all of which must be reported to5 and approved by its board of directors or other governing body, and must be auditable. Covered Entities must be prepared to detect, respond to, recover from and report “Cybersecurity Events.”
Under the Proposed Regulations, “Cybersecurity Event” means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.6 Notification of a Cybersecurity Event must be given to the NYDFS within 72 hours of becoming aware of the event.
The Proposed Regulations would require a Covered Entity to have its program in place by June 30, 2017 (180 days from the targeted effective date of January 1, 2017). As such, Covered Entities that have not put such programs into place already will need to move quickly in order to meet these mandates. Once compliance is achieved, Covered Entities will then be required to report annually on their continued compliance efforts, maintaining such records for five years.
The Proposed Regulations also require Covered Entities to mandate compliance by third parties7 who may have access to, receive or process Nonpublic Information, or otherwise have access to a Covered Entity’s Information Systems.
The Proposed Regulations are extremely detailed (both a blessing and a curse); and while the goals of the Proposed Regulations are laudable, from a privacy and security standpoint, the costs to a small business to comply with these Proposed Regulations once they are adopted are not insignificant.
We are monitoring the status of these Proposed Regulations, but companies should be poised to move forward quickly if they are a “Covered Entity”. The attorneys here at CSG are prepared to help you understand and comply with these new mandates as currently proposed, or as they may be modified and then implemented.
UPDATE: The New York cybersecurity regulations have been revised; please see our January 2017 alert here.
1 The Proposed Regulations contain an expansive definition of “Nonpublic Information” to be protected, and this new definition goes well beyond the definition of “Private Information” under New York State’s security breach notification requirements contained in the New York General Business Law (person’s name plus either social security number, driver’s license number, or credit card number). Nonpublic information includes:
- Any business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity;
- Any information that an individual provides to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, or is about an individual resulting from a transaction involving a financial product or service between a Covered Entity and an individual, or a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual;
- Any information, except age or gender, that is created by, derived or obtained from a health care provider or an individual and that relates to the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family or household, or from the provision of health care to any individual, or from payment for the provision of health care to any individual;
- Any information that can be used to distinguish or trace an individual’s identity, including but not limited to an individual’s name, social security number, date and place of birth, mother’s maiden name, biometric records, any information that is linked or linkable to an individual, including but not limited to medical, educational, financial, occupational or employment information, information about an individual used for marketing purposes or any password or other authentication factor.
2 “Person”, under the Proposed Regulations, means any individual, partnership, corporation, association or any other entity.
3 An otherwise “Covered Entity” with (1) fewer than 1000 customers in each of the last three calendar years, (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt only from certain aspects of the requirements under the Proposed Regulations. The “exempt” entities must still adopt a robust cyber program and policy, must still compel compliance by its third party vendors and consultants, and must still report on cyber incidents to the superintendent. (A complete list of the “non-exempt” sections is as follows: Sections 500.02, 500.03, 500.07, 500.09, 500.11, 500.13, 500.17, 500.19, 500.20 and 500.21 of the NYDFS Proposed Regulations, 23 NYCRR 500.)
4 “Information System” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
5 The Proposed Regulations require a Covered Entity to have a Chief Information Security Officer (CISO), who must report to the Covered Entity’s Board of Directors or other governing body.
6 The Proposed Regulations’ definition of a “reportable” Cybersecurity Event goes well beyond the current New York breach notification statute which defines a breach as the “[actual] unauthorized acquisition or acquisition without valid authorization of computerized data…”
7 The Proposed Regulations require that Covered Entities have preferred contract clauses prepared for their third party vendors with access to Nonpublic Information.