Are The New York Cybersecurity Regulations The U.S. Equivalent Of GDPR?

Not quite; but legal operations folks need to pay attention, particularly with respect to third-parties.

Two years ago, New York’s Department of Financial Services (DFS), which regulates companies in the financial services industry, promulgated regulations in an effort to establish minimum cybersecurity requirements for companies that do business in New York (see 23 NYCRR 500 or click here).

Last month marked the deadline for certain regulatory activities required under the new DFS rules. How many companies have complied is anyone’s guess, but it seems useful to remind legal operations personnel and their IT security folks of their compliance obligations.

Under the regulations, any DFS-regulated entity doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control. Organizations with less than 10 employees or revenue below $5 million or year-end assets under $10 million are exempt from some of the more onerous requirements, but it appears that even these smaller entities have obligations to limit access to information, assess their risk, implement policies related to third-party data control, and their own data disposition. All regulated entities are also obligated to report a breach event regardless of size.

Basically, the DFS is forcing financial services companies to implement information governance policies. This is not necessarily a terrible thing because, as I’ve indicated time and again, knowing what information an organization has, how it’s created, accessed, and where it’s stored and secured just makes good business sense.

Still, a few things stand out about these new regulations that many organizations may not have considered.

First, the third-party requirements in section 500.11 require all covered entities to implement policies and procedures “to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” Based on this language, it appears that any entity using a third-party service provider to process, review, or store nonpublic information will need to ensure that the third-party also has the minimum information security protections in place.

Knowing what I know about how a client’s electronically stored information might find its way to a law firm or eDiscovery vendor, it seems pretty clear that the DFS regulations impact more than just the covered entities. Significantly, it is for this requirement that the deadline to comply recently passed. So, if you have not already done so, it would be prudent to consider how this third-party requirement impacts your organization.

Sponsored

Second, while it seems unlikely that we will see the kind of sized GDPR-like fines we’ve recently read about, the DFS regulations don’t speak much to the question of penalties for failure to comply. Section 500.20 does speak to enforcement, and the superintendent of DFS has regulatory enforcement powers under the NYS Banking Law, but unless you’ve been through that process, how do you know what potential fines await the non-compliers?

In short, fines for DFS regulatory violations can range from a few thousand dollars up to $75,000 or higher, and these fines can be imposed on a daily basis, meaning that for each day an organization is not in compliance, the fines may accrue.

Third, many articles about the DFS cybersecurity regulation firmly make the point that regulated companies need to comply with the new requirements unless they are exempt from compliance. What I have not seen emphasized as much is the need for all organizations licensed or regulated by the DFS, exempt or not, to meet certain cybersecurity requirements. It does not appear that even smaller entities are exempt from the requirements related to access to information (500.07), performance of a risk assessment (500.09), or the retention and data disposition requirements (500.13).

As the DFS superintendent made clear in a December 21, 2018 memorandum addressed to CEOs of regulated entities:

By March 1, 2019, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS will be required to have a robust cybersecurity program in place that is designed to protect consumers’ private data . . . . The regulation sets forth certain limited exemptions, many of which still require certain cybersecurity programs and practices.

Sponsored

If you think your organization is exempt from compliance, you might want to double check because March 1st was the deadline for compliance and, well, you can do the math on the fines if your organization has not complied.


Mike Quartararo

Mike Quartararo is the managing director of eDPM Advisory Services, a consulting firm providing e-discovery, project management and legal technology advisory and training services to the legal industry. He is also the author of the 2016 book Project Management in Electronic Discovery. Mike has many years of experience delivering e-discovery, project management, and legal technology solutions to law firms and Fortune 500 corporations across the globe and is widely considered an expert on project management, e-discovery and legal matter management. You can reach him via email at [email protected]. Follow him on twitter @edpmadvisory.