Proposed New York State Regulations Address Cyberattack Risks

HackCybersecurity is a critically important concern for businesses of all sizes and in all sectors of the economy. The growth of various electronic data systems, not to mention the internet, has brought almost countless new risks from hackers and others, who use new technologies to perpetrate traditional crimes like theft. Businesses that collect and maintain consumers’ personal information must be particularly careful, since cybersecurity breaches can affect their customers’ financial interests as well as their own. The New York State Department of Financial Services (DFS) announced new proposed cybersecurity regulations several months ago for businesses in the financial sector. The proposed regulations, which are reportedly the first of their kind in the country, would require covered businesses to undertake extensive measures to safeguard their data.

New York law currently requires state agencies and private businesses to notify the state’s attorney general of any cybersecurity breaches that result in the release of “private information” to unauthorized persons. “Private information” includes information that may be used to identify a particular individual and that includes details like a Social Security number, a driver’s license or other identification number, or information that could enable access to a credit card or another financial account. N.Y. State Tech. L. § 208, N.Y. Gen. Bus. L. § 899-AA. State law does not currently impose affirmative obligations on businesses to protect private information or to guard against cybersecurity breaches.

The governor announced the proposed DFS regulation in mid-September 2016. The regulation, which will be codified in Title 23 of the New York Codes, Rules, and Regulations (NYCRR), applies to any business or organization under the jurisdiction of the New York Banking Law, Insurance Law, or Financial Services Law. 23 NYCRR § 500.01(c) (proposed). It requires “covered entities” to perform a risk assessment on a periodic basis, initially to identify cybersecurity needs and vulnerabilities, and subsequently “to respond to technological developments and evolving threats.” Id. at § 500.09.

Covered entities must use the information obtained through the risk assessment to develop a “cybersecurity program designed to protect the confidentiality, integrity and availability of” their electronic information systems. Id. at § 500.02. Additional requirements include the designation of a “Chief Information Security Officer,” routine “monitoring and testing” of security measures, and encryption of various types of private information.

Criticism of the proposed regulation addresses its sheer scope, as well as the fact that it could conflict with cybersecurity regulations in other states. Businesses subject to the regulation may have to make substantial changes to their business in order to comply, but the DFS itself could have difficulty managing the new requirements. The regulation requires covered entities to report any cybersecurity-related incident that has “a reasonable likelihood of materially harming any material part” of their operations. This could include attempted or otherwise unsuccessful breaches, or even incidents that merely appear to be breaches. As a contributor to Forbes notes, large financial institutions could “have millions of cybersecurity events in one day,” which would surely tax the DFS’ resources. The DFS made revisions to the proposed regulations in December 2016, based on public comments, and extended the public comment period to late January 2017.

Business law attorney Samuel C. Berger represents businesses, business owners, and entrepreneurs in New York City and Northern New Jersey. Our fixed-fee packages of legal services cover a wide range of issues that help our clients meet their specific legal needs. To schedule a confidential consultation with an experienced business advocate, contact us today online, at (201) 587-1500, or at (212) 380-8117.

More Blog Posts:

FTC Issues Guidance for Businesses that Handle Private Medical Information, New York & New Jersey Business Lawyer Blog, December 15, 2016

“Business Email Compromise” Scams Target Businesses in New York, New Jersey, and Nationwide, New York & New Jersey Business Lawyer Blog, July 21, 2016

Federal Government Addresses Cybersecurity Risks for Businesses, New York & New Jersey Business Lawyer Blog, January 7, 2016

Photo credit: Byseyhanla (Own work) [CC BY-SA 4.0], via Wikimedia Commons.