Page 5 - Litigation
P. 5
NYLJ.COM |
Litigation | MONDAY, NOVEMBER 14, 2016 | S5
cybersecurity pressure points, such as multi- factor authentication, penetration testing and access privileges.
While the Requirements may appear proscriptive and complex to implement on their face, the speci city of the regulation is important when attempting to reduce data breaches across the nancial services and insurance industries. The Requirements appear to follow the same model as the European General Data Protection Regu- lation (GDPR) by imposing quanti able, bright line rules that look to standardize data privacy practices across the industry. For example, like the GDPR, the Require- ments mandate that a Covered Entity notify the Superintendent within 72 hours after discovery of a data breach. This contrasts with the majority of existing noti cation laws that apply a reasonableness standard, which allows each individual organization to de ne the appropriate response. Even when an organization may have every intention of implementing reasonable cybersecurity policies and practices, the lack of de nition in the space can be challenging. Certain government agencies, like the Federal Trade Commission, release guidelines and bring
While the Requirements may appear proscriptive and complex
to implement on their face, the speci city of the regulation is important when attempting to reduce data breaches across the nancial services and insurance industries.
to adhere to the Requirements. Like nancial services and insurance companies, it will be dif cult for third-party law rms, consultants and vendors to retool their cybersecurity policies and procedures only for the New York nancial services and insurance mar- kets. In turn, it is likely that the Requirements will force organizations in other industries to reexamine and potentially rebuild their cybersecurity infrastructure around this demanding new regulation.
The Requirements, if passed in their cur- rent form, signal a new direction for state governments in cybersecurity and data pri- vacy regulation. Other state governments are inevitably going to follow suit and will expand the scope to other industries. While it may be costly and resource-intensive to implement, the NYDFS Requirements’ clear and thorough minimum standards should help to curb future data breaches and fur- ther secure NPI.
•••••••••••••••••••••••••••••
1. http://www.verizonenterprise.com/resources/re- ports/rp_DBIR_2016_Report_en_xg.pdf.
2. §500.02
3. Id.
4. http://www.nyc.gov/html/om/pdf/ny_report_ nal.pdf.
enforcement actions, but the agencies have limited resources and cannot monitor the cybersecurity policies of every organiza- tion that operates within the insurance and nancial services space. In turn, a policy’s reasonableness (or unreasonableness) is usually not determined until after a data breach occurs and at that point, the dam- age has already been done. By establishing quantitative minimum standards not altered by an organization’s subjective view of rea- sonableness, the NYDFS seeks to remove ambiguities that have hampered previous regulations.
As a state-based regulation, the Require- ments pertain only to Covered Entities in New York State. The reach of the Requirements, however, would extend far beyond New York’s borders. New York is a global nancial cen- ter. Financial services make up 15 percent of
the New York City economy, second only to the real estate sector.4 New York-based poli- cies will likely affect nancial services and insurance company infrastructures nation- ally given the impracticality of structuring an information security infrastructure with state borders in mind. Similar consequences have occurred with California’s Children’s Online Privacy Protection Act, which has affected the vast majority of online privacy policies nationwide.
The Requirements’ Third Party Infor- mation Security Policy (§500.11) further expands the reach of the regulation. Cov- ered Entities are required to implement written policies and procedures ensuring the security of information systems and NPI handled by third parties. In essence, this section requires any and all third parties that interact with the Covered Entity’s NPI
o
n
n
t
t
a
a
c
c
t
Reach your peers to generate referral business
LAWYER TO LAWYER
C
[email protected]
C
o
t
M
M
i
i
c
c
h
h
a
a
e
e
l
l
K
K
a
a
l
l
b
b
f
f
e
e
l
l
l
l
a
a
t
t
(
(
2
2
1
1
2
2
)
)
4
4
5
5
7
7
-
-
9
9
5
5
3
3
3
3
o
o
r
r
