Companies should take note of two imminent developments in New York in the area of cybersecurity regulation: enforcement of the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (Regulation) and the effective date of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act or Act). The Regulation and the Act both contain prescriptive cybersecurity requirements and new breach notification obligations for regulated organizations. The Act has a particularly broad reach, impacting any company that owns or licenses private information of New York residents.
The NYDFS Regulation originally came into effect on March 1, 2017, and provided for a two-year implementation plan for companies to develop a robust cybersecurity program. It applies to any “Covered Entity,” which is defined broadly to include “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” Such organizations were required to implement the Regulation in three phases and submit certifications to NYDFS after each phase. The final phase of implementation ended March 1, 2019, after which Covered Entities were expected to be in full compliance with the Regulation’s various obligations. A full year later, however, it is still unclear when and how the NYDFS will transition to enforcement mode.
The Regulation is unique among most existing cybersecurity regulations in that it contains various prescriptive requirements rather than a principles-based framework favored by many in industry. Among a number of other obligations, the Regulation requires companies to:
- Create a written information security policy and incident response plan;
- Designate a Chief Information Security Officer responsible for overseeing and implementing the cybersecurity program;
- Conduct penetration testing and vulnerability management practices;
- Implement multi-factor authentication or reasonably equivalent access controls;
- Invest in data security controls such as encryption; and
- Notify NYDFS within 72 hours of a qualifying cyber event.
NYDFS is empowered with several mechanisms to remedy non-compliant entities, including the imposition of monetary penalties and enforcement actions for unfair, deceptive, or abusive practices. For certain violations, the NYDFS can suspend or revoke a Covered Entity’s banking license.
Over the past three years, NYDFS has been actively focused on evaluating cybersecurity preparedness in its examinations of financial institutions, although to date it has not brought an enforcement action pursuant to the Regulation. Recent events suggest, however, that the grace period may be coming to an end.
In May 2019, NYDFS announced the creation of a Cybersecurity Division to enforce the Regulation. In its press release, NYDFS said the new Division will “enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Financial Enforcement Division.” In addition, at a recent New York City Bar Association event earlier this month, NYDFS Superintendent Linda Lacewell strongly suggested that the regulator will soon begin enforcement in earnest. Finally, Governor Andrew Cuomo released a proposal in the administration’s 2020 Agenda that would significantly enlarge NYDFS’ mission and funding. Should the legislature decide to adopt the Governor’s proposal on March 31, 2020, it would take effect immediately.
In addition, on July 25, 2019, Governor Cuomo signed into law the SHIELD Act. Notably, the Act applies to any company that owns or licenses “private information” of New York residents – even organizations that do not conduct business in the state. The Act contains both expanded breach notification obligations (which have been in effect since October 2019) and specific requirements to maintain reasonable administrative, technical, and physical safeguards to protect personal information. These new substantive cybersecurity requirements will take effect on March 21, 2020.
While the Act does not provide for a private right of action, it does give the New York attorney general greater oversight of data breaches that impact the state’s residents. Under the Act, the New York Attorney General has both expanded enforcement authority and the ability to impose civil penalties and injunctive relief.
The Act also includes an exemption for companies that are subject to and compliant with other federal or New York State data security laws or regulations, such as the NYDFS Regulation, HIPAA, and GLBA. Accordingly, companies outside of the financial and healthcare industries should pay particular attention to the new data security obligations in the Act. Many such organizations have been performing gap analyses against these obligations and implementing additional policies and controls where appropriate.
Given these developments, companies should expect to see increased enforcement in New York this year within the cybersecurity space.
*Jake Nevola, a Law Clerk in our New York office, contributed to this entry.