Follow the Leader: NYDFS Cybersecurity Regulation Leads the Way for Other States and Industries

The New York Department of Financial Services (NYDFS) blazed a cybersecurity trail with its 2017 regulation for the protection of information collected and processed in, and systems used in the operation of, the financial services and insurance industries. The Empire State’s work has already formed the basis for the National Association of Insurance Commissioners’ model cybersecurity law, several states’ insurance laws, and similar laws for other industries in other states. With “imitation being the sincerest form of flattery,” other states and industries are expected to flatter the DFS by adopting similar requirements.

The NYDFS’ work has been game-changing and will continue to be highly influential. As important as the NYDFS Cybersecurity Regulation is, however, it would be a disservice not to remember the earlier federal and state governmental laws, regulations and guidances that built a foundation on which the NYDFS has erected its New York cyber skyscraper. Taken together, the legal landscape has been dramatically altered in recent years and more changes are inevitable.

Also, as governmental edicts about cybersecurity proliferate, so too do related requirements about data breach notifications and privacy protections.

The NYDFS Cybersecurity Regulation
After drafts and revisions, and plenty of industry comment, effective March 1, 2017, the NYDFS promulgated its Cybersecurity Regulation (23 NY CRR 500) to address the cybersecurity threats facing “Covered Entities,” defined to include all NYDFS licensees, including banks and other lenders, insurance carriers and producers, and others. Beyond other cybersecurity requirements found in existing U.S. laws and regulations, the NYDFS Cybersecurity Regulation expanded the scope of information to be protected by defining “Nonpublic Information” to include the traditional data sets that can expose individuals to identity theft and fraud, as well as information that, if compromised, could cause material harm to the Covered Entity. In addition, the NYDFS Cybersecurity Regulation also expanded the scope beyond information to include “Information Systems,” including systems used to process Nonpublic Information, as well as operations systems (including HVAC and telephone systems) needed to operate the Covered Entity’s business.

Also beyond other U.S. laws and regulations focused on cybersecurity, the NYDFS Regulation is highly prescriptive in identifying particular written policies and safeguards required to be adopted, particular requirements for general employee awareness and specific employee qualifications and training, and requirements for assessing and managing the cybersecurity risks presented by the Covered Entity’s use of third party service providers with access to Nonpublic Information and Information Systems. Most of these requirements are based on a required periodic cybersecurity risk assessment.

In addition, the NYDFS introduced a requirement to notify NYDFS of certain types of cybersecurity events within 72 hours, much quicker than existing U.S. breach notification requirements, but consistent with the notice deadline of the new European Union General Data Protection Regulation (GDPR). The notification requirement is also broader, encompassing certain breaches covered by existing state breach notice requirements, and including certain breaches of systems that could threaten the Covered Entity without compromising the types of information that could expose individuals to identity theft and fraud.

The NAIC Insurance Data Security Model Law
Following the lead of the NYDFS, in October 2017 the NAIC adopted its Insurance Data Security Model Law (NAIC Model) to establish insurance industry standards for data security, and for the investigation and notification of certain cybersecurity events. The NAIC Model applies to any individual or nongovernmental entity licensed, authorized, or registered under the insurance laws, with certain exceptions. An NAIC taskforce had been working on cybersecurity standards for two years, but substantially revised its prior working drafts to follow the concepts and terminology used in the NYDFS Cybersecurity Regulation. The NAIC Model has the potential to affect the entire insurance industry, including InsurTech firms and other service providers with access to the data and systems of insureds and producers.

The NAIC Model, while based on the NYDFS Cybersecurity Regulation, differs from it in several important respects. To address concerns about inconsistency among the states, a drafters’ note to the NAIC Model states that Licensees in compliance with the NYDFS Cybersecurity Regulation are deemed to be in compliance with the NAIC Model.

On May 3, 2018, the South Carolina Governor made South Carolina the first state in the nation to adopt a comprehensive cybersecurity statute for the insurance industry, by signing into law the South Carolina Insurance Data Security Act (H4655) based on the NAIC Model, which will become effective January 1, 2019.

Other states can be expected to propose similar legislation based on the NAIC Model. A bill following the NAIC Model was introduced in Rhode Island (Bill 2018 – H7789), although it has been recommended to be held for further study.

Activity by Other Jurisdictions
In 2017, Colorado (3 CCR 704-1 Rules 51-4.8 and 4.14) and Vermont (Vermont 4:4 Vt Code R. § 8:8-4) imposed cybersecurity requirements for the securities industry similar to the NYDFS requirements (which do not apply to securities firms).

In 2018, Colorado (House Bill 18-1128) went further, and adopted general cybersecurity requirements for all entities that maintain, own or license personal identifying information of a Colorado resident. While it does not mandate the same level of specific activity as the NYDFS Cyber Regulation, it does require an entity to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” (Colo. Rev. Stat. § 6-1-713.5(1)). In this respect, the Colorado statute harkens to the first of the U.S. general cybersecurity requirements, the Massachusetts information security regulation (201 CMR 17), which has since 2009 required all businesses regardless of industry to protect personal information of Massachusetts residents, including by adopting a written information security program, encrypting certain information, managing risks presented by third party service providers, and taking other steps to protect the confidentiality and security of the information.

Colorado is an example of considerable legislative activity in 2018 that focuses chiefly on privacy and notification issues but includes cybersecurity requirements. Other states with new or amended data breach notification and privacy protection laws are Alabama, Arizona, Delaware, Louisiana, Massachusetts, Oregon and South Dakota.

Further, much has been written about the European Union’s GDPR that took effect on May 25, 2018. This regulation, with its sweeping privacy considerations, general cybersecurity obligation, and strict notification requirements, should not be overlooked by U.S. enterprises. There are several ways U.S.-based operations can be subject to the GDPR and we encourage all entities to assess carefully its applicability and obligations.

California has taken notice of the GDPR and enacted the California Consumer Privacy Act of 2018 (A.B. 375) on June 28, 2018. [see “Dropping Another Stone in the Pond? California’s New Consumer Privacy Act” in this issue.] It is viewed as a compromise to avoid a November statewide ballot on an initiative of the same name. While it does not take up the NYDFS Cybersecurity Regulation’s prescriptive security requirements, this law, which takes effect in January 2020, closely tracks the various privacy concepts of the GDPR. Given the role California played in adopting the first breach notification statute in the U.S., which then rippled across the nation to be adopted in one form or another in every state, observers are closely following this new California legislation. Among the requirements of the California Consumer Privacy Act are a duty to maintain reasonable security; an obligation to disclose the types of data being collected about California consumers; the requirement to produce to a consumer the categories, as well as the specific pieces, of information collected; and a right to be forgotten.

What’s Next?
Looking ahead, there will certainly be further governmental attention at all levels in response to ever-increasing awareness of cybersecurity risks, the consequences of incidents, privacy concerns, and more. This attention can manifest, for example, in new laws or regulations, changes to existing law, and heightened enforcement. Also, as industry sectors wrestle with their potential challenges and exposures, industry-specific standards will continue to emerge.

The goal of any business should be risk mitigation, not merely compliance with applicable requirements. Therefore, those charged with assessing and managing privacy and cybersecurity risks at their organizations must continually monitor the evolving landscape of standards and requirements. Currently, the NYDFS Cybersecurity Regulation provides a useful model for managing these risks, regardless of industry.

This article was originally published in CPO Magazine July 16, 2018. Used with permission.