A review and analysis of the New York Cybersecurity Rules.
New York Cybersecurity Rules are intended for financial companies but others should take stock.
After a record-breaking year of data breaches reported in the US in 2017, as well as several massive, damaging hacks (think Marriott and Google+) in 2018, state governments are taking matters into their own hands. New York leads those efforts with its Cybersecurity Rules.
The New York Department of Financial Services Cybersecurity Regulation, which was implemented in March 2017 to aid businesses in their cybersecurity efforts, reached its final compliance deadline on March 1, 2019, which will likely lead to heavier enforcement.
The rule requires banks, insurers, financial businesses, and regulated virtual currency operators to establish a detailed security plan, increase monitoring of third-party vendors, report breaches within 72 hours and appoint chief information security officers, with the goal of reducing the number of data breaches and amount of sensitive information stolen.
Since many businesses – especially in the financial services industry – have access to sensitive information (credit cards, Social Security numbers, bank accounts, etc.), employees’ awareness is essential to prevent internal threats. The 2018 Insider Threat Report found that 90 percent of companies feel they are vulnerable to insider threats, both intentional and inadvertent, with phishing emails being one of the most common and damaging entries into a company’s network.
Although New York cybersecurity rules will certainly assist in companies’ awareness and prevention of data threats, they won’t be enforced without challenges. For example:
- It may be possible to report that something has happened within the 72-hour notification requirement window, but it will be extremely difficult to provide more detail than that. Right now, the law is unclear of what exactly must be reported within the window, but the government will need to understand that the greater the exposure, the longer it takes to deal with. The question should not be, “Did the company report the breach within three days?” But rather, “Did the company act with appropriate speed and put the proper resources in place?”
- Each data breach is unique and should be treated as such – with whatever technologies and amount of time are required. If the law is too black and white (such as, requiring all companies to report the cause and extent of breaches within three days, regardless of the breach’s size), you’re going to penalize companies who are trying to do the right thing. They may have a chief information security officer in place, for example, who just didn’t have enough knowledge of the breach within the designated window. On the other hand, allowing gray area in the law becomes an entirely different problem.
- The third-party diligence process will also present issues because you’re dealing with outside companies who already have their own sets of monitoring programs in place. It is a Herculean undertaking to imagine the scope of auditing every single vendor and service provider. And then you have questions of responsibility to address – who is culpable when a vendor with access to data experiences a breach?
States are beginning to move in the same direction as New York, but it seems likely that Congress may move to enact controlling regulations at the federal level. This would prevent companies that do business nationally from having to deal with cybersecurity regulations on a state-to-state basis.
If your company is affected by the New York cybersecurity rules, remember to act deliberately – have a plan, execute on that plan and ask for help if you don’t have the internal expertise to handle such protocols. There are very skilled experts and consulting companies who are trained in responding to data breaches. Don’t get distracted from your core competencies to put resources into something you don’t know how to do. Getting the right people involved early on infinitely increases your chances of success.
Ultimately, the New York cybersecurity rules are simply an issue of awareness. These policies, at the very least, will make businesses more conscious of cybersecurity precautions and thus will lead to more individual understanding, training and established protocols. While the regulation may not be enough to stop data theft entirely, it is certainly a step in the right direction.
Learn about our Data Breach Discovery™ services to quickly, securely and cost-effectively identify what personal and sensitive data may have been affected in a breach.
Ryan Bilbrey is a senior litigation and disputes advisory professional with 25 years of data-focused litigation and investigation experience. He has assisted clients and their counsel by providing electronic discovery, computer forensics, forensic accounting, data analytics and strategic consulting services. Ryan has designed and implemented multiple data breach discovery projects as a component of cyber incident response investigations, and he has worked with clients in many industries, including financial services, education, manufacturing, health care, insurance, energy, technology, communications and entertainment, as well as with the federal and local government.