New York Fires First Salvo Under Cybersecurity Law

Poyner Spruill LLP
Contact

Poyner Spruill LLP

The New York Department of Financial Services (NYDFS) has launched its first enforcement action under New York’s Cybersecurity law for financial services, so-called Part 500. Part 500 requires NYDFS licensed institutions to adhere to certain privacy and cybersecurity standards.

Part 500 took full effect in March 2019. It required NYDFS licensed firms to undertake risk assessments for the Non Public Information (NPI) that they processed. Their cybersecurity practices had to correspond to the NPI’s nature, volume, and sensitivity.

Here, NYDFS alleged that the insurer had violated Part 500 obligations. Specifically, NYDFS contended that the company did not fix a known vulnerability in its document-handling program. Cyber defense staff discovered the problem in December 2018. But the company took another six months to address the issue. This failure allegedly compromised millions of documents.

NYDFS determined that the insurer had stored documents used to obtain title insurance in a proprietary document management system. The documents were sequentially numbered. This system, together with the absence of any verification procedures, enabled unauthorized viewers to access the documents. Some documents even appeared in Google search results.

Describing the  response as “a cascade of errors”, NYDFS cited the insurer for allegedly:

  • Not performing a risk assessment of the document management system;
  • Delaying resolution of the issue;
  • Failing to adhere to its own cybersecurity and privacy policies and procedures;
  • Failing to assign a qualified employee to address the issue;
  • Not conducting further risk assessments.

The NYDFS action is a strong shot across the bow to NYDFS-licensed entities. At a minimum, entities should have:

  • An assessment of NPI in their inventory;
  • Rigorous risk assessment;
  • Qualified cybersecurity staff, including a CISO;
  • Adequate and documented procedures;
  • Breach response plans;
  • Consistent enforcement across the board.

Falling short of these standards potentially entails $10,000 per NYDFS-defined violation. A stiff price tag by any measure.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.