New York Law Could Provide Insight into Cybersecurity’s Legal Future
While government agencies like the Federal Trade Commission (FTC) regulate and investigate if a company exercises reasonable cybersecurity practices, especially in the aftermath of a data breach, there are few laws mandating the particulars of how a company must implement information privacy standards and cybersecurity. However, this may be changing in the near future.
Companies that base their cybersecurity on the NIST Cybersecurity Framework or the 20 CIS Critical Security Controls could find themselves in a good position to respond to an investigation by a State or Federal government agency. The FTC looks upon the NIST Cybersecurity Framework favorably. However, compliance with standards like the NIST Cybersecurity Framework or CIS Critical Security Controls will not create a safe harbor, and states are beginning to consider laws requiring the implementation of an information security program that detail minimum cybersecurity standards in certain businesses.
On March 1, 2017 the NY Department of Financial Services implemented a regulation detailing required information security programs and minimum cybersecurity standards for certain businesses, “Cybersecurity Requirements for Financial Services Companies” (23 NYCRR 500). The regulation is highly detailed and prescriptive, applying to banks, insurance companies, and other financial services institutions under the applicable Banking Law, Insurance Law or Financial Services Law of New York.
Amongst other requirements, the New York regulation requires a risk assessment that is conducted and updated periodically as reasonably necessary. This risk assessment informs the technological controls, information security procedures and policies necessary for the business under the law by considering the particular risks of business operations related to cybersecurity, nonpublic personal information collected or stored by the business, information systems utilized by the business, and the availability and effectiveness of controls to protect nonpublic personal information and business information systems. The regulation requires that businesses institute a number of practices based on this risk assessment, including, but not limited to, a written cybersecurity policy, an incident response plan, employee cybersecurity training, encryption, multi-factor authentication, monitoring and periodic testing of the cybersecurity program, auditing systems, and an annual certification of compliance with the regulation.
While this regulation does not affect all types of businesses, it is one of the first of its kind. It is expected that this regulation will cause ripples as other states may look to it as a model when developing their own similar regulations and laws on information privacy and cybersecurity.