Legal Alert: New York Department of Financial Services Issues 308 Request on Cyber Threats

On May 28, 2013, the New York State Department of Financial Services (DFS) sent inquiries to 31 of the largest life, health and property/casualty insurance companies pursuant to its authority under Section 308 of the New York Insurance Law. These inquiries requested information on the policies and procedures the insurers have in place to protect against cyber-attacks. Among the information requested by the DFS was the following:

- Information on cyber-attacks to which the companies have been subject to in the past three years;

- The cyber-security safeguards that the companies have put in place;

- The companies’ information technology management policies;

- The amount of funds and other resources dedicated to cyber-security at each company; and

- The companies’ governance and internal control policies related to cyber-security.

The highly technical nature of the 308 letters will likely necessitate a joint effort of legal and information technology personnel to formulate responses. The answers to some of the requests may have implications under New York’s insurance regulations (e.g., Regulation No. 173), HIPAA’s Security Rule (45 C.F.R. §164) and similar regulations in other states. Further, the 308 letter uses numerous terms that do not have well-defined meanings. For example, the term “data loss prevention tools” is extremely vague and can be construed to include anything from a backup tape to sophisticated software systems. Additionally, the term “mobile devices” could include anything from smartphones and iPads to thumb drives, laptops, external hard drives and CDs. The 308 letter also refers to “cloud computing,” which, despite its common usage, does not have a clear definition.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sutherland Asbill & Brennan LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.