Cybersecurity and Data Privacy: Bond Public Comments on Department of Financial Services Proposed Cybersecurity Regulations Seek an Exemption for Institutions of Higher Education and Other Not-for-Profit Organizations (2/17)

Bond Schoeneck & King PLLC
Contact

Bond Schoeneck & King PLLC

On September 13, 2016, the New York State Department of Financial Services (DFS) issued proposed cybersecurity regulations (Proposed Regulations) that would impose significant new obligations on all organizations covered by the Proposed Regulations. This would include colleges and universities as well as other not-for-profit organizations in New York State that operate a donor annuity program because such programs require a permit from DFS in accordance with N.Y. Insurance Law § 1110. On December 28, 2016, DFS issued revised regulations that responded to extensive public criticism that the Proposed Regulations were too prescriptive, but left many key elements of the Proposed Regulations in place, including the requirement for annual certification of compliance by the Board of Directors of each covered organization. (For a description of the revised regulations, see https://www.bsk.com/media-center/3635-cybersecurity-data-privacy-proposed-new-york-state-regulations-updated-implementation.)

On January 27, 2017, Bond, Schoeneck & King, joined by the Commission on Independent Colleges and Universities, submitted a letter to DFS (Letter) urging that colleges and universities as well as other not-for-profit organizations should be exempt from the Proposed Regulations. A copy of the Letter is found here. The Letter supports the exemption by noting, among other reasons, that the Proposed Regulations which were designed for financial institutions such as banks would impose an exceptional burden on institutions of higher education and not-for-profit organizations unrelated to their mission, size, resources or operations. Moreover, as set forth in the Letter, these organizations are already covered by other cybersecurity laws and regulations. In many cases, the data for the donor annuity program is held by banks, not by these organizations, further undercutting any rationale for including them under the mandate of the Proposed Regulations.

DFS has not yet issued the final cybersecurity regulations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bond Schoeneck & King PLLC | Attorney Advertising

Written by:

Bond Schoeneck & King PLLC
Contact
more
less

Bond Schoeneck & King PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.