Aug 272018

NYDFS Cybersecurity Regulation: Additional Cybersecurity Program Safeguards Due September 4, 2018

Colleen Theresa Brown and Sandra Lynne Fryhofer (Summer Associate)
, , , , , , , , ,

Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.

By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:

  • an audit trail that shows detection of and response to material cybersecurity events;
  • written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
  • data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
  • risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.

Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information.

To prepare for the latest deadline, companies should ensure that cyber events and incident audit trails are activated and being retained; finalize policies for addressing security risks in in-house application development and in the use of external applications; finalize data retention policies and schedules; finalize policies for monitoring authorized users; and consider and implement security controls as may be necessary, such as feasible encryption or effective alternative compensating controls, to protect non-public information.

Looking ahead, Covered Entities will be required to meet one final compliance deadline for the NYDFS on March 1, 2019.  By March 1, 2019, Covered Entities must have security policies in place that govern the security of third-party service providers and, by that deadline, must implement such written security policies.

The NYDFS has been assisting Covered Entities with compliance questions through its frequently asked questions (“FAQs”) and answers on the NYDFS website, originally published on June 20, 2017 and updated most recently on August 9, 2018. The now 36 questions in the FAQs section address key topics such as the types of entities subject to the Cybersecurity Regulation (which now include HMOs and continuing care retirement communities), provisions that must be complied with even if an entity receives a limited exemption, obligations that a Covered Entity has when it merges with or acquires a new company, the notice requirements pertaining to a cybersecurity event, the annual certification requirement, requirements related to the CISO, the effective dates for various provisions, and third party service providers’ obligations under the regulation.

The NYDFS Cybersecurity Regulation (published at 23 NYCRR 500.01) sets forth the minimum requirements for NYDFS-regulated entities to address cybersecurity risks.  For more background on the regulation, see our report, “NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls.”

To date, Covered Entities have addressed several compliance deadlines for the NYDFS as it phased in its requirements over the past year and a half:

  • By August 28, 2017, Covered Entities were required to have a cybersecurity program in place as well as a board (or senior officer) approved written cybersecurity policy and Chief Information Officer to help protect data and systems. They also became obligated to report cybersecurity events to the NYDFS.
  • By September 27, 2017, Covered Entities that determined that they qualified for a limited exemption were required to file a Notice of Exemption with the NYDFS.
  • By February 15, 2018, Covered Entities were required to comply with additional obligations under the regulation, including: implementation of a formal, written cybersecurity program and cybersecurity policy, limitations/restrictions on access privileges to information systems that provide access to nonpublic information, utilization of qualified cybersecurity personnel (internally or through qualified third party providers), designation of a new chief information security officer, and development of a written Incident Response Plan.  Covered Entities were also required to file their first annual certification of compliance with the Cybersecurity Regulation.
  • By March 1, 2018, Covered Entities were required to have a CISO responsible for preparing an annual report covering an organization’s information security policies, procedures, cyber risks, and the effectiveness of its cybersecurity programs; to design and implement a cybersecurity program that continually monitors and tests the organization’s vulnerabilities; and to use multi-factor authentication. Covered Entities were also required to provide regular cybersecurity awareness training for all personnel.
Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Sandra Lynne Fryhofer (Summer Associate)

sfryhofer@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1