Clients and Companies This Effects
New York changed the data security landscape when it introduced the groundbreaking
Cybersecurity Regulation (23 NYCRR 500). Full compliance is required for any financial services provider subject to the jurisdiction of the New York State Department of Financial Services (“DFS”), whether or not the entity is headquartered in New York. This includes licensed lenders, state-chartered banks, trust companies, mortgage companies, service contract providers, and insurance companies.
The broad scope of the requirements also has a significant effect on service providers that do business with covered entities. However, there are limited exemptions; for example, organizations with less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end total assets (including all affiliates) are exempt from certain requirements of the regulation.
The Cybersecurity Regulation in a Nutshell
The regulation’s main directive is to protect consumer personal information by requiring companies in the financial services industry to proactively implement procedures that will reduce the threat of cyberattacks. Going beyond any other current state level regulation, 23 NYCRR 500 requires covered entities to establish and maintain cybersecurity programs designed to prevent, detect, and respond to cyberattacks.
Potential Penalties For Non Compliance
Failure to understand the extensive coverage of 23 NYCRR 500, as well as the available exemptions, timing and limits of the exemptions, could subject a covered entity to substantial penalties. Indeed, DFS has wasted no time on cracking down on non-compliant entities.
On July 22, 2020, DFS filed its first charges against a financial institution, First American Title Insurance Company, for violating the regulations. The
Statement of Claims alleges that First American’s mandatory routine penetration test revealed vulnerabilities, and the company’s failure to remediate the deficiencies exposed the personal and financial information of millions of consumers. DFS claims that First American violated six provisions of the Cybersecurity Regulation, and asserts that each piece of Nonpublic Information involved in the claims “constitutes a separate violation carrying up to $1,000 in penalties per violation.” By this logic, DFS estimates the number of violations to be a staggering 255 million, or “30% of” the “850 million” documents that First American made publicly available.
This First American matter makes clear that DFS will aggressively enforce its Cybersecurity Regulation. The case provides us with valuable perspectives on the priorities and expectations of DFS as well as foresight into how other regulators may interpret similar data security regulations. Failure to adapt procedures based on these lessons could prove extremely costly.
Lessons Learned from the First American Case.
The regulations mandate periodic penetration testing and vulnerability assessments. These tests can expose covered vulnerabilities, even at organizations with robust security programs. While many entities have procedures for remediating the identified susceptibilities within an time period, the First American action demonstrates these procedures must be more robust and fast acting. DFS alleges that First American’s response of instituting a 90 day plan to remediate the vulnerabilities, was a vast undervaluation of the risks they posed. DFS mentions that First American assigned “a new employee with little experience in data security” to address the detected issues. Based on the risk involved, this was wholly inadequate. Moreover, DFS claims that First American reviewed just 10 out of the potentially hundreds of millions of documents exposed. DFS also cited the company’s failure to comply with its internal remediation policies. First America failed to remediate within its self-imposed 90 days timeline, and did not follow up on the risk assessment. This demonstrates that companies must appropriately react based on the risks involved with any detected vulnerabilities. Remediation of vulnerabilities identified during penetration tests and vulnerability assessments must occur in a timely manner and the efforts to remediate must be led by capable personnel. Additionally, documentation of remediation efforts in concurrent records will be key to proving appropriate measures were taken. Proactively Resolve Detected Vulnerabilities Promptly:
: DFS requires a periodic risk assessment of information systems. The First American action reveals that DFS may scrutinize the scope and depth of those assessments. DFS pointed to a lack of a documented risk assessment of the vulnerable document delivery system and the failure to recognize that the system contained nonpublic information as a critical failure for First American. Therefore, covered entities must identify and perform risk assessments on all system that involved sensitive consumer information. Robust Risk Assessments
: DFS deemed First American’s training to be insufficient because the company purportedly delegated training to individual business units. There was no centralized supervision of the training or oversight of the departments. Taking note, entities should develop and audit their cybersecurity training programs, and create a centralized system for oversight of the training across all departments. Training intensity should increase with employees who handle or have access to sensitive information. Appropriate Cybersecuity Training
: In consumer driven Cybersecurity litigation, proving a harm plays a huge factor in the Plaintiff’s ability to recover. To contrast, there is no claim from DFS that consumers were harmed by First American’s alleged exposure of documents. Yet, as detailed in DFS’s No Harm to Consumers is Required For High Penalties press release, DFS is claiming there were roughly 255 million violations and that each violation constitutes a fine of up to $1,000. Companies should see this as a warning that consumer harm may not be a factor in DFS’s decision to levy extreme fines.
Covered entities should not wait until a cybersecurity incident occurs before ensuring policies, procedures and practices will pass under the scrutiny of a DFS action. The risk of significant financial penalties is too high. Covered entities should consistently assess their compliance with the cybersecurity regulations before an attack. If you have any questions regarding DFS’s Cybersecurity Regulation or would like to evaluate your current cybersecurity or data protection procedures, please contact Greenspoon Marder’s
Regulatory Compliance practice group. Our well-rounded group of professionals includes nationally recognized attorneys, seasoned legislators, and experienced lobbyists, as well as a uniquely dedicated paralegal group to ensure personalized client service.
About Greenspoon Marder
Greenspoon Marder is a national full-service business law firm with over 200 attorneys and 25 locations across the United States. We are ranked among American Lawyer’s Am Law 200, as one of the top law firms in the U.S. since 2015. Our Regulatory Compliance & Defense practice group works closely with each client to understand their business model, goals, and objectives; and, to help our clients realize those goals while staying in compliance with applicable state and federal regulations. At Greenspoon Marder, we focus on pro-actively keeping our clients in good standing with regulators
Key Requirements of the NY’s Cybersecurity Regulation (23 NYCRR 500):
Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
Requirements that a cybersecurity program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
Written cybersecurity policies and procedures to protect information systems and the nonpublic information on those systems, including information systems and nonpublic information accessible to, or held by, third-party service providers;
Effective incident response plans that include preserving data in order to respond to data breaches and providing notice within 72 hours to the NYDFS of material events.
Audit and risk basic trails designed to detect and respond to cybersecurity events.
Annual reports covering the risks faced, all material events, and the impact on protected data.