Header graphic for print

Password Protected

Data Privacy & Security News and Trends

The Equifax Breach: How to Protect Your Company and Your Customers

Posted in Data breach

On September 7, Equifax, one of the three major credit reporting firms in the U.S., disclosed a data breach that potentially affects 143 million consumers. Equifax’s disclosure indicated that the breach, which Equifax claims to have discovered in July, resulted from a vulnerability affecting Apache Struts CVE-2017-5638, which is an open-source software (OSS) framework that supports the Equifax online dispute portal web application.  The Apache Struts vulnerability was identified and disclosed by the United States Computer Emergency Readiness Team in March 2017. Although Equifax made some effort to identify and secure vulnerable systems, it is unclear what steps Equifax took to patch the system or if it otherwise engaged in remediation measures, including any update to its Web applications.

Managing Regulator Inquiry

If your company has utilized Equifax services, then your customers may have been exposed to an increased risk of identity theft. This risk may leave your business vulnerable to regulator inquiry.  Companies can expect regulators to ask questions such as: (1) what is the nature of the relationship between the company and Equifax, including contractual obligations; (2) what types of information have been exchanged between the company and Equifax, and is the company still reporting information to Equifax; and (3) in light of the breach, what will the company do to protect its customers and ensure their information is safeguarded going forward?

Some steps that you can immediately take to help position your company to properly respond to regulator inquiry include:

  • Establishing a point of contact and mobilizing your breach response team across departments to specifically manage the Equifax breach.
  • Conducting a thorough review of the information policies and procedures that are currently in place. This will allow you to effectively convey a factual report to the regulator regarding your data management practices.
  • Working with in-house and outside counsel to initiate an internal investigation to determine how sensitive consumer data is being managed, and what data may be at risk as a result of the breach.

Managing Your Relationship with Equifax

To mitigate any potential liability, you should immediately review your company’s contracts with Equifax. Once this analysis is complete, you can decide how best to manage your relationship with Equifax by determining what action, if any, you should take regarding any costs you may have related to the breach.  Some of the questions you should consider while evaluating your contractual relationship with Equifax include:

  • What Equifax products or services does your company use and what customer information is and has been exchanged between the company and Equifax?
  • Are there any existing contractual provisions that require the company to send data to Equifax?
    • If the company is required to use an Equifax service, are there transmission requirements to send the data? Who has access to the data? What is the data retention policy?
  • What pathways exist to modify the contract to address Equifax’s data security issues?
  • Is it reasonable to stop using the Equifax service?
    • Will there be a business disruption and cost to find another vendor? Keep in mind that there is no guarantee that existing alternatives are better equipped to safeguard against a breach.
  • What questions, demands and inquires can your company make of Equifax to determine what steps Equifax has taken since the breach to secure its system and customer information?
    • What costs should Equifax cover relating to your management of the breach? What improvements should Equifax make to enhance data security practices going forward?

NYDFS Guidance to Regulated Institutions

Following the Equifax breach, the New York Department of Financial Services (“NYDFS”) promptly issued guidance to all financial institutions and insurers that are regulated by NYDFS and its Cybersecurity Requirements for Financial Services Companies.  NYDFS strongly urged regulated institutions “to ensure that this incident receives the highest level of attention and vigilance.”   This guidance is instructive not only for regulated companies, but also for entities outside the purview of NYDFS, as it highlights the expectations that all companies will face in managing the threat to their customers posed by the Equifax breach.

The NYDFS guidance encourages institutions that provide consumer- or commercial-related account and debt information to Equifax to carefully review the terms of any credit-reporting arrangement with Equifax to determine any potential risk associated with the continued provision of data in light of this cyberattack. In this regard, institutions are specifically cautioned to take into consideration the NYDFS Cybersecurity Regulation with respect to third party service providers.  Similarly, institutions that receive credit reports from Equifax are advised to confirm the validity of information contained in Equifax credit reports, as they may have been compromised in the cyberattack.

The guidance also urges regulated institutions to consider the following best practices for information security:

  • Install all available security patches;
  • Implement appropriate ID theft and fraud prevention programs for both new and existing customers;
  • Use an identity verification/fraud service for identity verification;
  • Provide a call center for customers to report if their information has been hacked and code these customer accounts with a “red flag”; and
  • Use Multi-Factor Authentication and Risk-Based Authentication techniques instead of relying solely on personally identifiable information (PII) as a means of verifying identity.

“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo, warning that NYDFS would take all action that is necessary “to protect New York’s markets, consumers and sensitive information from criminals.”  In light of the recent expiration of the deadline for achieving compliance with the NYDFS Cybersecurity Regulations and the increased risk created by the Equifax breach, it is crucial that all companies regulated by NYDFS take immediate and proactive measure to mitigate potential harm to their customers and ensure compliance with the NYDFS Cybersecurity Regulations.

This breach has highlighted the often overlooked importance of proper IT infrastructure and data management. Accordingly, your company must be prepared to examine and defend its policies and practices to ensure your customers and IT network are protected.  Areas of focus should include vendor management practices, proactive system monitoring procedures, and data encryption protocols.

Update: Another Court Gives Broad Reading to Illinois Biometric Privacy Act

Posted in Privacy, Social Media

Another court ruling this week concludes that the Illinois Biometric Information Privacy Act (IBIPA) covers face geometry scans that are created from digital images, again rejecting the argument that the statute should apply only to facial scans made in person. The case, Monroy v. Shutterfly, Inc., No. 16 C 10984 (N.D. Ill. September 15, 2017) was brought by an individual whose face geometry was scanned by the photo website Shutterfly from a photo uploaded by a different user.

The IBIPA requires anyone who collects and stores certain “biometric identifiers” such as “face geometry” to first obtain the person’s consent and also requires a written policy for retention and eventual destruction of those identifiers.  Like the earlier Rivera v. Google ruling, this is a preliminary ruling in the case and one that still leaves open a thicket of issues related to how Illinois’s statute may apply to activities occurring in other states.  As further discussed in a prior post, if this interpretation ultimately prevails, it would have a significant impact, at least in Illinois, on the privacy compliance requirements for a broad and growing category of technology products.

A Little Help From HIPAA

Posted in Data Security, Health Information

HIPAA’s Security Rule requires that Covered Entities perform “periodic” Security Risk Assessments. All too often, however, this regulatory obligation is ignored altogether, performed extremely sporadically, or treated as a regulatory hoop-jumping exercise to be completed as quickly as possible.  Aside increasing the risk of HIPAA liability, treating the Security Rule Risk Assessment in these ways means missing out on an opportunity to explore and shore up the entity’s data security systems.

Despite what criticisms may exist for other parts of the HIPAA regulations, the Security Rule can be a remarkably helpful tool.  It was rolled out in 2013, and it has survived the test of time despite astonishing changes in technology.  Indeed, one of the reasons for this is that the Security Rule expressly incorporates a “flexibility of approach,” making it applicable to Covered Entities of all sizes and configurations.

At its core, the Security Rule risk aims to ensure the confidentiality, integrity, and availability of electronic PHI, and the elements of the rule are pretty much the very same things that would be expected of any responsibility organization operating in the digital age anyway.

When done properly, the Security Rule Risk Assessment helps entities to examine their operations to identify where and how their data is stored; reasonably anticipate and address the risks that may exist to their data; and identify the various ways in which the entity manages its operations with respect to a fairly logical set of required and addressable criteria.  This exercise can be critically important in helping in-house counsel and the compliance team to understand where the organization’s information “lives,” who is in charge of securing the data, and what areas of potential vulnerability require attention.

Lawyers do not often applaud regulations, but in the case of data security practices, HIPAA Security Rule can be tremendously helpful, and all entities should take it very seriously.

FTC Provides Guidance on Data Security in Its “Stick With Security” Blog

Posted in Data Security, FTC enforcement

Building on the FTC’s “Start with Security” guide for businesses, the agency launched the “Stick with Security” blog on July 21, 2017. The blog provides additional guidance on each of the 10 fundamental principles of data security through hypotheticals based on FTC decisions, questions submitted, and FTC enforcement actions. Each week, the FTC publishes a post dedicated to one of the 10 data security principles.

The 10 fundamental “Start with Security” principles include:

  1. Start with security. The first principle urges companies to factor data security into all aspects of the business and to make conscious decisions about how, when, and whether to collect, retain and use personally identifiable information.
  2. Control access to data sensibly. The second principle recommends restricting access to personal data to employees who have a legitimate need to access the data. This recommendation includes restricting administrative access to the company’s systems to employees tasked with making system changes.
  3. Require secure passwords and authentication. According to the third principle, companies should require “complex and unique” passwords, store passwords securely, and test for common vulnerabilities to protect against unauthorized access to data.
  4. Store sensitive personal information securely and protect it during transmission. The fourth principle advises companies to encrypt data while in transit and when at rest throughout the data’s entire lifecycle. Companies should use industry-tested methods of securing data and ensure that the measures are implemented and configured appropriately.
  5. Segment your network and monitor who’s trying to get in and out. The fifth principle speaks to the design of a company’s network; it should be segmented and include intrusion detection and prevention tools.
  6. Secure remote access to your network. The sixth principle considers a company to be responsible not only for the security of its internal network, but also for examining the security of employees’ computers and systems of others to whom the company grants remote access to its systems. In addition, companies should limit remote access to only the areas that are necessary to achieve the purpose.
  7. Apply sound security practices when developing new products. The seventh principle urges companies to use engineers trained in secure coding practices and to follow explicit platform guidelines designed to make new products more secure. This principle also indicates that companies are expected to ensure that their privacy and security features function properly and meet advertising claims.
  8. Make sure your service providers implement reasonable security measures. The eighth principle advises companies to choose providers with appropriate security measures and standards and to require providers to meet expectations by expressly including those obligations in provider contracts. Also companies should preserve contractually the right to verify that the provider is meeting expectations on data security matters.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise. The ninth principle instructs companies to implement and maintain up-to-date security patches, heed warnings regarding known vulnerabilities, and establish a process for receiving and responding to security alerts.
  10. Secure paper, physical media, and devices. The tenth principle applies similar security lessons to non-electronic data, such as data on paper and other physical media. This principle recommends storing paper containing sensitive data in a secure area, using PINs and encryption to secure data housed on other physical media, establishing security policies for employees when traveling with media that contains sensitive data, and disposing of sensitive data on paper and other physical media securely.

Since July 21st, the FTC has published seven helpful posts. Up next, the FTC will discuss the eighth principle: Make sure your service providers implement reasonable security measures.

Government Response to Increasing Cyber Threats

Posted in Cybersecurity, Legislation

Government agencies collect and hold massive amounts of personally identifiable information (PII), creating valuable targets for cybercrime. Recently proposed legislation would impose baseline standards for cyber hygiene on federal agencies. State and local governments, as well as private industry, should measure themselves against the same federal standards to protect against catastrophic loss of PII.

Security experts estimate that approximately 90% of successful cyberattacks are due to poor cyber hygiene and security management at the targets. The Promoting Good Cyber Hygiene Act of 2017 (the “Act”), introduced in the Senate, as well as comparable legislation introduced in the House, is designed to address potential shortcomings in federal agencies’ cyber hygiene practices. The Act would require the National Institute of Standards and Technology (NIST) to establish a list of best practices for effective and usable cyber hygiene for use by the Federal Government. The list also would be published as a standard for state and local government agencies, as well as the private sector.

Specifically, NIST must provide a list (1) of simple, basic controls that have the most impact in defending against common cyber security threats, (2) that utilizes commercial off-the-shelf technologies, based on international standards, and (3) that, if practicable, is based on and consistent with the Cybersecurity Framework contained Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”). Also, the Act requires DHS, in coordination with the FTC and NIST to conduct a study on cybersecurity threats relating to the Internet of Things (“IoT”), and in August, 2017, the Senate introduced the IoT Cybersecurity Improvement Act of 2017, which includes minimum security standards for IoT devices connecting to federal government systems.

The Act requires NIST to consider the benefits of emerging technologies and processes such as multi-factor authentication, data loss prevention, micro-segmentation, data encryption, cloud services, anonymization, software patching and maintenance, phishing education and other standard cybersecurity measures. NIST, as well as Federal and state governments should also consider implementing the following security best practices:

  • Compartmentalize and segment data and limit access to segmented data on a need to know basis. Only collect data that is necessary to provide its services.
  • Train all users (everyone with access to its systems, including contractors and subcontractors) on identifying and avoiding security threats.
  • Create comprehensive forensic evidence logs for data breaches to help identify and plug deficiencies in its systems.
  • Keep up to date on all operating systems versions and patches, and ensure its vendors are also up to date on its systems.
  • Monitor user activities and look for anomalies and discrepancies in access or usage patterns; track potentially suspicious activities.
  • Automate workflows and courses of action to reduce incident response times, and minimize the impact of a security breach.
  • Create, implement, and improve upon incident response and disaster recovery plans and risk mitigation strategies and best practices, both internally, as well as externally by requiring third party contractors to implement comparable practices.
  • Back up critical data on a continual basis to avoid susceptibility to ransomware demands.

In addition to new standards contemplated by the Act, NIST standards currently are being implemented into federal procurements. Federal Acquisition Regulation (“FAR”) and Department of Defense FAR Supplement (DFARS) provisions incorporated into government contracts require contractors to safeguard systems and information in accordance with all or part of NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These new mandatory contract clauses underscore the vulnerability of information that may not remain in a single system. True risk mitigation includes requiring strategic partners to comply with proper cybersecurity measures.

In addition to storing PII, government agencies also own and operate critical systems, networks and infrastructure. In light of the increasingly high profile, more sophisticated, and numerous ransomware and other malware attacks, such as “Wanna Cry” and “not-Petya” infecting networks worldwide in the first half of 2017, it is more critical than ever for government agencies to identify, contain, remediate, and prevent cyberattacks. State and local government, as well as industry, should take advantage of the lessons learned and best practices incorporated in current and pending federal cybersecurity standards.

Federal standards such as those incorporated into government contracts and contemplated under the Act serve as a baseline starting point, and should continually be re-examined and updated once such best practices are implemented. Cyberattacks are not static and will evolve into sophisticated, higher volume attacks Cyber-countermeasures and best practices must follow suit and evolve and improve with each lesson learned from every attack.

European Court of Human Rights Overturns Decision on Employee Email Monitoring

Posted in EU Data Protection

Back in January 2016 Sarah Thompson reported on the European Court of Human Rights (ECHR) which ruled in favour of an employer who had terminated an employee’s employment, after investigating his misuse of a company email account.

Earlier this week, the Grand Chamber of the ECHR overturned that ruling, finding that the Romanian employee’s right to privacy had in fact been infringed by his employer, when his personal messages were read in the course of an investigation, even though they were sent using company equipment and during working hours. The decision of the Grand Chamber represents the final decision of European courts on this issue, as it is the highest court of appeal and this judgment is therefore conclusive. As a result, Mr. Barbulescu is now entitled to compensation, although as can be seen from the decision, the court determined the amounts to be relatively low.

Employers should already be aware that employees have a certain right to privacy at work and must be properly informed if their communications are to be monitored and in what, if any, limited circumstances such monitoring may be conducted, always bearing in mind the need to balance employee rights and legitimate business interests.

The ECHR Grand Chamber’s decision considers this in detail, and although the judgment is lengthy, the key points benefit from the further clarification given by the court’s Q&A on the judgment. This helpful summary points out that Mr. Barbulescu’s right to private life and correspondence (protected by Article 8 of the European Convention on Human Rights) was violated by his employer because his employer failed to strike the necessary fair balance between each party’s rights and the Romanian courts had failed to determine whether he had properly been informed that his communications could be monitored.

The Q&A also states that this decision “does not mean that employers cannot, under any circumstances, monitor employees’ communications when they suspect them of using the internet at work for private purposes. However, the Court considers that States should ensure that, when an employer takes measures to monitor employee’s communications, these measures are accompanied by adequate and sufficient safeguards against abuse.”

Japan and South Korea in the Pipeline for Adequacy Decision

Posted in EU Data Protection, Legislation

In early 2017, the EU Commission published a communication about Exchanging and Protecting Personal Data in a Globalized World in which the EU Commission prioritizes discussions on possible adequacy decision with key trading partners, starting from Japan and South Korea in 2017.  More particularly, on July 3, 2017, the EU Commission and a representative of the Japanese Personal Information Protection Commission met in Brussels to move forward on a possible adequacy decision.

With the recent reform of the Japanese Act on the Protection of Personal Information on May 30, 2017 and with the new EU General Data Protection Regulation (the “GDPR”, which will apply from May 25, 2018), Japan and the EU have strengthened their respective data protection regimes. As a result, both countries have a very similar regime and ensure a very high level of protection for personal data. This convergence offers new opportunities to pursue a dialogue on adequacy decision.

The EU Commission considers that, in particular, the following criteria should be taken into account to assess with which countries a dialogue on adequacy should be pursued:

  • The extent of the EU’s (actual or potential) commercial relation with a given third country;
  • The extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
  • The pioneering role that the third country plays in the field of privacy and data protection that could serve a model for other countries in its region; and
  • The overall political relationship with the third country in question.

An adequacy decision is an implementing decision taken by the EU Commission to make a determination that a third country ensures an adequate level of protection of personal data. Once an adequate level of protection is recognized by the EU Commission, transfers can be made without specific authorizations. For now, the Commission has adopted 12 adequacy decisions, including the EU-US Privacy Shield.

The EU Commission, when determining whether a third country has an adequate level of protection, must take into account among others (GDPR, art. 45.2):

  • the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;”
  • “the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States”; and
  • “the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.”

The overall evaluation does not require a level of protection identical to that offered within the EU, but requires a level of protection that is “essentially equivalent”.

Under the GDPR, an adequacy decision is not a definitive decision but a decision that once adopted needs close monitoring by the EU Commission and review, at least every four years, to take into account all relevant developments affecting the level of protection ensured by the third country.

This two-way dialogue with Japan will include exploring ways to increase convergence of Japan’s laws and practice with the EU data protection rules. The EU Commission and Japan have reaffirmed their commitment to intensify their efforts and to conclude this dialogue by early 2018.

Call Me Maybe: Equivocal Statements May Partially Revoke Consent Under TCPA

Posted in Litigation, Privacy

In a recent decision, the 11th U.S. Circuit Court of Appeals reversed a grant of summary judgment in favor of a bank on Telephone Consumer Protection Act (TCPA) claims, by holding that a consumer can partially revoke her previously provided consent.

In Schweitzer v. Comenity Bank, the plaintiff sued the bank under the TCPA for calls placed to her cell phone after she allegedly revoked her consent. The revocation at issue purportedly occurred during a call the bank placed to the plaintiff, in which the plaintiff said, “And if you guys cannot call me, like, in the morning and during the workday, because I’m working, and I can’t really be talking about these things while I’m at work.”

The bank argued, and the district court had agreed, that this statement did not constitute a clear statement that the plaintiff did not want any further calls. The plaintiff appealed, arguing that the TCPA allows a consumer to partially revoke her consent to receive automated calls and that the plaintiff had revoked her consent to receive calls in the morning or during the workday.

In analyzing the issue of partial revocation, the 11th Circuit turned to its prior decision in Osorio v. State Farm Bank, F.S.B., which held that a consumer may orally revoke her consent under the TCPA in the absence of a contractual restriction, to hold that the common-law understanding of consent applies to the TCPA. Under the common law, the court explained, a person may limit her consent as she likes, permitting a consumer under the TCPA to provide limited consent. Therefore, the court concluded that “unlimited consent, once given, can also be partially revoked as to future automated calls under the TCPA.”

Turning to the effect of the plaintiff’s statements, the court held that a jury may find that the plaintiff was too equivocal to constitute partial revocation, but the lack of specificity in the plaintiff’s request did not preclude her from being able to have a jury decide the question. This holding highlights that the question of whether a consumer adequately revoked her consent, in many circumstances, will require a trial.

Of note, the 11th Circuit did not reference the recent Reyes decision by the 2nd Circuit, which held that a consumer cannot unilaterally revoke contractually agreed-upon consent under the TCPA. The reference the court made to its prior decision in Osorio, however, did highlight the distinction the 2nd Circuit drew in its decision limiting revocation. Specifically, the court noted that only in the “absence of any contractual restriction to the contrary, [consumers] were free to orally revoke any consent previously given.”  In addition, given that the court relied upon the common-law principles for revocation, like the 2nd Circuit in Reyes, it appears the two decisions are consistent. Thus, a company may be able to avoid the issues faced in Schweitzer by utilizing contractual provisions addressing consent and revocation.

Proposed Bipartisan Bill Intended to Strengthen Security of Internet of Things (IoT) Devices

Posted in Cybersecurity, Legislation

Earlier this month, Senators from both sides of the aisle introduced the “Internet of Things Cybersecurity Improvement Act of 2017,” outlining new security requirements for vendors who supply the U.S. Government with IoT devices. The bill was proposed by U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT).

In a Press Release for the bill, Senator Warner notes that the sheer number of IoT devices – expected to exceed 20 billion devices by 2020 – presents increasing opportunities for cyberattacks. “While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Senator Warner. “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would:

  • Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality.
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

While this bill is aimed at U.S. Government vendors, the growing concern related to IoT device security is not limited to federal procurements. Michelle Richardson, Deputy Director of the Freedom, Security and Technology Project, Center for Democracy and Technology describes this bill as an “important first step” and others speculate that the bill may have a ripple effect on companies manufacturing IoT devices for private consumers.  With the rapid advancements in IoT devices and the increased sophistication of cyberattacks, securitization of these devices will continue to be a moving target, however, this bill may mark a first step in a trend toward increased legislative focus on the overall security of the Internet of Things.

 

NY Cybersecurity Regulations for Financial Services Companies: Enforcement Begins Aug. 28

Posted in Cybersecurity, Financial Services Information Management, Regulation

The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.

Cybersecurity Regulation Overview

The cybersecurity regulations became effective March 1, 2017. In its official introduction to the regulations (23 NYCRR 500), NYDFS observed that the financial services industry has become a significant target of cybersecurity threats and that cybercriminals can cause large financial losses for both financial institutions and their customers whose private information may be stolen for illicit purposes. Given the seriousness of this risk, NYDFS determined that certain regulatory minimum standards were warranted but avoided being overly prescriptive, to allow cybersecurity programs to match the relevant risks and keep pace with technological advances.

The cybersecurity regulations require each financial services company regulated by NYDFS to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The required risk assessment, however, is not intended to permit a cost-benefit analysis of acceptable losses where an institution faces cybersecurity risks. Senior management must be responsible for an organization’s cybersecurity program and file an annual certification confirming compliance with the regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

NYDFS has issued a clear warning of its intent to pursue strong enforcement of the Cybersecurity Regulations:  “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.  The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.  Adoption of the program outlined in these regulations is a priority for New York State.”

To learn more about who is affected, required actions to comply, possible penalties and upcoming deadlines, click here.