Clients and Companies This Effects
New York changed the data security landscape when it introduced the groundbreaking Cybersecurity Regulation (23 NYCRR 500). Full compliance is required for any financial services provider subject to the jurisdiction of the New York State Department of Financial Services (“DFS”), whether or not the entity is headquartered in New York. This includes licensed lenders, state-chartered banks, trust companies, mortgage companies, service contract providers, and insurance companies.
The broad scope of the requirements also has a significant effect on service providers that do business with covered entities. However, there are limited exemptions; for example, organizations with less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end total assets (including all affiliates) are exempt from certain requirements of the regulation.
The Cybersecurity Regulation in a Nutshell
The regulation’s main directive is to protect consumer personal information by requiring companies in the financial services industry to proactively implement procedures that will reduce the threat of cyberattacks. Going beyond any other current state level regulation, 23 NYCRR 500 requires covered entities to establish and maintain cybersecurity programs designed to prevent, detect, and respond to cyberattacks.
Potential Penalties For Non Compliance
Failure to understand the extensive coverage of 23 NYCRR 500, as well as the available exemptions, timing and limits of the exemptions, could subject a covered entity to substantial penalties. Indeed, DFS has wasted no time on cracking down on non-compliant entities.
On July 22, 2020, DFS filed its first charges against a financial institution, First American Title Insurance Company, for violating the regulations. The Statement of Claims alleges that First American’s mandatory routine penetration test revealed vulnerabilities, and the company’s failure to remediate the deficiencies exposed the personal and financial information of millions of consumers. DFS claims that First American violated six provisions of the Cybersecurity Regulation, and asserts that each piece of Nonpublic Information involved in the claims “constitutes a separate violation carrying up to $1,000 in penalties per violation.” By this logic, DFS estimates the number of violations to be a staggering 255 million, or “30% of” the “850 million” documents that First American made publicly available.
TAKE AWAY
This First American matter makes clear that DFS will aggressively enforce its Cybersecurity Regulation. The case provides us with valuable perspectives on the priorities and expectations of DFS as well as foresight into how other regulators may interpret similar data security regulations. Failure to adapt procedures based on these lessons could prove extremely costly.
Lessons Learned from the First American Case.
Proactively Resolve Detected Vulnerabilities Promptly :Robust Risk Assessments Appropriate Cybersecuity Training No Harm to Consumers is Required For High Penalties press release , DFS is claiming there were roughly 255 million violations and that each violation constitutes a fine of up to $1,000. Companies should see this as a warning that consumer harm may not be a factor in DFS’s decision to levy extreme fines.
CONCLUSION
Covered entities should not wait until a cybersecurity incident occurs before ensuring policies, procedures and practices will pass under the scrutiny of a DFS action. The risk of significant financial penalties is too high. Covered entities should consistently assess their compliance with the cybersecurity regulations before an attack. If you have any questions regarding DFS’s Cybersecurity Regulation or would like to evaluate your current cybersecurity or data protection procedures, please contact Greenspoon Marder’s Regulatory Compliance practice group. Our well-rounded group of professionals includes nationally recognized attorneys, seasoned legislators, and experienced lobbyists, as well as a uniquely dedicated paralegal group to ensure personalized client service.
About Greenspoon Marder
Greenspoon Marder is a national full-service business law firm with over 200 attorneys and 25 locations across the United States. We are ranked among American Lawyer’s Am Law 200, as one of the top law firms in the U.S. since 2015. Our Regulatory Compliance & Defense practice group works closely with each client to understand their business model, goals, and objectives; and, to help our clients realize those goals while staying in compliance with applicable state and federal regulations. At Greenspoon Marder, we focus on pro-actively keeping our clients in good standing with regulators
Key Requirements of the NY’s Cybersecurity Regulation (23 NYCRR 500):
Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
Requirements that a cybersecurity program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
Written cybersecurity policies and procedures to protect information systems and the nonpublic information on those systems, including information systems and nonpublic information accessible to, or held by, third-party service providers;
Effective incident response plans that include preserving data in order to respond to data breaches and providing notice within 72 hours to the NYDFS of material events.
Audit and risk basic trails designed to detect and respond to cybersecurity events.
Annual reports covering the risks faced, all material events, and the impact on protected data.
About Greenspoon Marder Greenspoon Marder LLP is a full-service law firm with over 240 attorneys and more than 20 office locations across the United States. With operations from Miami to New York and from Denver to Los Angeles, our firm attracts some of the nation’s top talent in key markets and innovation hubs. Our core practice areas include Real Estate, Litigation, and Transactional Services, complemented by the capabilities of a full-service firm. Greenspoon Marder has upheld a spot on The American Lawyer’s Am Law 200 as one of the top law firms in the U.S. since 2015, and our goal is to provide exceptional client service by developing a thorough understanding of each client’s business needs and objectives in order to provide strategic, cost-effective solutions.
MEDIA CONTACT
Natalie Villanueva, Director of Marketingnatalie.villanueva@gmlaw.com
This Greenspoon Marder LLP Client Alert is issued for informational purposes only and is not intended to be construed or used as general legal advice nor a solicitation of any type. Please contact the author(s) or your Greenspoon Marder LLP contact if you have any questions regarding the currency of this information. The hiring of a lawyer is an important decision. Before you decide, ask for written information about the lawyer’s legal qualifications and experience.
