By August 28, a mere month from now, financial institutions licensed in New York are required to have in place the first series of cybersecurity protections mandated by stringent new regulations issued by that state's Department of Financial Services (NYDFS). The measures required in this first of four phase-in periods stretching through March 1, 2019, include a Cybersecurity Program, underlying Cybersecurity Policies, and an Incident Response Plan, each as intricately prescribed by NYDFS, plus designation of a Chief Information Security Officer (CISO) to oversee them. As to all of the above Phase 1 requirements, except designating the CISO, the regulations also require that by March 1, 2018, they be based on and conform to findings of a comprehensive Risk Assessment not (nominally) due until the latter date. Thus, as a practical matter, the regulations encourage covered entities to have completed the Risk Assessment by end of August too.
Firms that have fewer than 10 employees (including independent contractors) in New York or who have under $5 million in revenues or under $10 million in total assets may, on due notice to NYDFS, be exempt from the requirement to appoint a CISO. Such firms, however, are exempt from other requirements due on August 28, including those discussed above, as well as a related obligation to limit access to nonpublic personal information.
But that is hardly all. As of August 28, all covered entities will also be subject to a 72-hour notice rule that will, in many instances, radically accelerate companies' reporting obligations and processes. In the U.S., the data breach notification laws of the various states have heretofore required companies to notify affected parties or regulators within a "reasonable" but unspecified time and/or a specified time of at least 30 days following discovery. Under New York's new regulations, however, a covered entity must, within 72 hours, notify NYDFS of the entity's determination of the occurrence of a "Cybersecurity Event" that either (1) has "a reasonable likelihood of materially harming any material part of the normal operation(s) of" that company or (2) triggers a separate obligation of the company to report to a "government body, self-regulatory agency or ... other supervisory body." It is the first prong of NYDFS' 72-hour rule that will require covered entities to report incidents far faster than any U.S. regulator had ever before mandated.
Recent surveys indicate that many companies do not believe they will be ready by the August 28 deadline — or even later still. Day Pitney encourages its financial sector clients to take steps timely to comply with New York's new regulations. The Day Pitney attorneys listed here are available to assist you.
Day Pitney Alert
Effective January 1, 2020, the new privacy law in California, the California Consumer Privacy Act (CCPA), will impact companies nationwide. Recent actions by the California Governor and Attorney General have provided some much needed clarity as to the law’s requirements to assist companies in their compliance preparations.
On October 18, Steven Cash will be speaking on a panel, "Becoming A Risk-Oriented Advisor," at the 2019 Family Wealth Alliance Fall Forum in Chicago, IL.
On October 7, Steven Cash spoke at "Cybersecurity: Tension Between Innovation and Security," an event presented by the Connecticut Power and Energy Society (CPES) and held at Yale University in New Haven, CT.
Steven Cash moderated a panel discussion hosted by Culper Connect, an alumni association of former United States Government public servants from the U.S. Intelligence Community.
Bill Goddard will moderate a panel, entitled "Liability & Regulatory Issues in Cybersecurity," at the National Organization of Life and Health Insurance Guaranty Associations (NOLHGA) 27th Annual Legal Seminar in Boston, MA.
David Doot, Steven Cash and James Blackburn, IV authored an article, "Risk and Opportunity with the Industrial Internet of Things," which was published in the July-August 2019 issue of The Journal of Robotics, Artificial Intelligence & Law.
Day Pitney Press Release
Steven Cash was quoted in an article, “Mystery in Mueller Probe: Where’s the Hacking Indictment?,” published by The Hill.
Day Pitney and the National Governors Association (NGA) hosted an invitation-only forum, held at the Downtown Harvard Club of Boston, that brought together lawyers, policymakers, cybersecurity experts and other participants to identify and discuss legal issues related to the growing Industrial Internet of Things (IIoT).
Steven Cash was quoted in an article, "What We Know About The Upcoming Net Neutrality Vote," published in Law360.