On September 13, 2016, the New York State Department of Financial Services (DFS) issued proposed cybersecurity regulations (Proposed Regulations) that would impose significant new obligations on all organizations covered by the Proposed Regulations. This would include colleges and universities as well as other not-for-profit organizations in New York State that operate a donor annuity program because such programs require a permit from DFS in accordance with N.Y. Insurance Law § 1110. On December 28, 2016, DFS issued revised regulations that responded to extensive public criticism that the Proposed Regulations were too prescriptive, but left many key elements of the Proposed Regulations in place, including the requirement for annual certification of compliance by the Board of Directors of each covered organization. (For a description of the revised regulations, see https://www.bsk.com/media-center/3635-cybersecurity-data-privacy-proposed-new-york-state-regulations-updated-implementation.)
On January 27, 2017, Bond, Schoeneck & King, joined by the Commission on Independent Colleges and Universities, submitted a letter to DFS (Letter) urging that colleges and universities as well as other not-for-profit organizations should be exempt from the Proposed Regulations. A copy of the Letter is found here. The Letter supports the exemption by noting, among other reasons, that the Proposed Regulations which were designed for financial institutions such as banks would impose an exceptional burden on institutions of higher education and not-for-profit organizations unrelated to their mission, size, resources or operations. Moreover, as set forth in the Letter, these organizations are already covered by other cybersecurity laws and regulations. In many cases, the data for the donor annuity program is held by banks, not by these organizations, further undercutting any rationale for including them under the mandate of the Proposed Regulations.
DFS has not yet issued the final cybersecurity regulations.