Tannenbaum Helpern Syracuse & Hirschtritt, LLP
About Us Careers Contact Us Search
Home Practice Areas Industries Case Results Attorneys Publications Events Press Room

What’s New in the Revised New York State Proposed Cybersecurity Regulation?

As reported in our December 2016 article entitled, “Proposed NYS DFS Cybersecurity Regulations to Significantly Impact FS Companies”, the New York State Department of Financial Services (“DFS”) issued an initial version of a proposed cybersecurity regulation (the “Initial Regulation”) that would require banks, insurance companies and other institutions regulated by the DFS (“Covered Entities”) to establish and maintain a rigorous cybersecurity program.

On December 28, 2016, the DFS published an updated version of the regulation (the “Updated Regulation”) after the comment period for the Initial Regulation ended, making significant changes to its security requirements[1]. The DFS will finalize the regulation after the expiration of a new 30-day comment period, and the new effective date of the regulation is expected to be March 1, 2017. Covered Entities will have 180 days from the effective date (until late August 2017) to comply with most of the regulation’s provisions, but they will have up to two years to comply with certain other provisions. Below is a summary of some of the key revisions contained in the Updated Regulation:

Scope of “Nonpublic Information”

As noted in our December 2016 article, the regulation is designed to protect the security of “Nonpublic Information,” which the Initial Regulation defined very broadly, going well beyond typical personally identifiable information. While the Updated Regulation narrows the scope of “Nonpublic Information” somewhat, the term is still defined quite broadly. In the Updated Regulation, “Nonpublic Information” means:

  • Business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the Covered Entity’s business, operations or security;
  • Any information concerning an individual which because of name, number, personal mark or other identifier can be used to identify such individual, together with any one or more of the following: (i) social security number, (ii) driver’s license number or identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records; and
  • Any information (except age or gender) created by or derived from a health care provider or an individual and that relates to (i) the physical, mental or behavioral health or condition of any individual or family member, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.

The Updated Regulation continues to provide that the information above would not be deemed Nonpublic Information if it is “Publicly Available Information.” However, this exception will still require a Covered Entity to have a “reasonable basis to believe” that the otherwise Nonpublic Information was “lawfully made available to the general public” via certain specified sources. Therefore, it appears that Covered Entities would still need to perform some due diligence to “reasonably” satisfy themselves that the dissemination of publicly-available information was “lawful.”

Cybersecurity Policy Requirements

Covered Entities must implement and maintain a written cybersecurity policy. While the Initial Regulation required all Covered Entities’ cybersecurity policies to address each of fourteen issues, the Updated Regulation provides that each Covered Entity’s policy should be based on that particular Covered Entity’s own risk assessment and should address the fourteen issues “to the extent applicable to the Covered Entity’s operations.” Thus, the Updated Regulation provides some flexibility as to which issues each Covered Entity’s cybersecurity policy must address.

Third Party Service Providers’ Cybersecurity Obligations

As we noted in our December 2016 article, some organizations that are not regulated by the DFS would still be affected by this regulation because Covered Entities must identify and assess the cybersecurity risks of doing business with third party service providers that have access to Covered Entities’ Information Systems and Nonpublic Information. The Updated Regulation offers Covered Entities more flexibility in identifying and addressing their service providers’ cybersecurity risks. Now, Covered Entities’ obligation to conduct cybersecurity assessments of their service providers will be based on the risks those service providers present. Additionally, Covered Entities are no longer expressly required to include in their contracts certain types of cybersecurity-related requirements for those service providers. Of course, Covered Entities may always require their service providers to comply with cybersecurity requirements that such Covered Entities choose to impose.

Encryption of Nonpublic Information

The Initial Regulation required Covered Entities to encrypt all Nonpublic Information that they hold or transmit. An exception to that encryption requirement applied only if encryption was infeasible, and that exception applied for a limited time. Under the Updated Regulation, Covered Entities are required to implement “controls” (which may include encryption) that are appropriate based on their risk assessments. Therefore, encryption is not strictly required under the Updated Regulation. However, Covered Entities that use controls other than encryption must review the effectiveness of those controls (and review the feasibility of encryption) at least annually.

Notices to the Superintendent of the DFS

The Initial Regulation required Covered Entities to notify the Superintendent of the DFS within 72 hours after becoming aware of any “Cybersecurity Event” that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity, or that affects Nonpublic Information[2]. The Updated Regulation reduces the scope of Cybersecurity Events that require notification to the Superintendent. Under the Updated Regulation, Cybersecurity Events that require notice to the Superintendent are:

  1. those in which notice must be provided to any supervisory body, and
  2. those that “have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.”

In addition, the Updated Regulation eliminates the notification requirement for Covered Entities to notify the Superintendent of the DFS within 72 hours after identifying “any material risk of imminent harm relating to its cybersecurity program,” even if no cybersecurity event had actually occurred. Under the Updated Regulation, if a Covered Entity identifies areas that require material improvement, update or design, the Covered Entity must document its identification of the problem and its remedial efforts. The Superintendent may inspect the Covered Entity’s documentation.

Penetration Testing and Vulnerability Assessments

The Initial Regulation required Covered Entities to conduct penetration testing at least once a year, and vulnerability assessments at least quarterly. The Updated Regulation is less prescriptive in its requirements. Under the Updated Regulation, the cybersecurity program for each Covered Entity must include monitoring and testing that is designed to assess the effectiveness of the program. Covered Entities would be required to conduct annual penetration testing and bi-annual vulnerability assessments only in absence of effective continuous monitoring or other systems to detect changes that may indicate vulnerabilities.

Additional Exemptions

The Updated Regulation exempts from certain requirements Covered Entities that have fewer than ten employees and those that are not required to access, receive or possess Nonpublic Information.

What is Next?

As noted above, the effective date of the proposed regulation is expected to be March 1, 2017. All organizations covered by the regulation should design (or re-design) their cybersecurity programs and procedures to comply with the regulation once it becomes effective. This applies to Covered Entities, as well as to third party service providers that have access to Covered Entities’ Nonpublic Information.

For more information on the topic discussed, contact Andre R. Jaglom at jaglom@thsh.com, David R. Lallouz at lallouz@thsh.com, Michael J. Riela at riela@thsh.com, or any other member of the Firm’s Cybersecurity and Data Privacy Practice Group.


[1] The Updated Regulation can be found at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.

[2] Notably, the term “Cybersecurity Event” is broadly defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System” (emphasis added). Thus, even an unsuccessful attempt to gain unauthorized access will be considered a “Cybersecurity Event” for purposes of the regulation. The term “Information System” is also broadly defined, and could be interpreted to include any information system within the Covered Entity.


About Tannenbaum Helpern Syracuse & Hirschtritt LLP

Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction expertise to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit www.thsh.com. Follow us on LinkedIn and Twitter: @THSHLAW.

Publications
BulletPoint
GlobalNote
Business Litigation Bulletin
Employment Notes
Note from the Real Estate Group
THSH E-Alert
Other Publications
Inclement Weather Policy
Other Publications Archive
President Obama Seeks to Broaden Overtime Protections for Employees
Privacy regulation in the United States
The Broad Scope of Franchise Laws: Traps for the Distribution Contract Drafter
Managing Distribution: How to Develop a Corporate Legal Compliance Program
Internet Distribution, E-Commerce and Other Computer Related Issues
Distribution Contracts
What Impact Will FATCA Have on Offshore Hedge Funds and How Should Such Funds Prepare for FATCA Compliance?
The American Taxpayer Relief Act of 2012: What It Means to You
Privilege and the In-House Counsel: Protecting Your Communications Through Proper Registration and Careful Understanding
Are your digital communications protected by attorney-client privilege and what if privileged information is disclosed?
THSH Private Equity Roundtable Summary
Post Grant Review Under the America Invents Act
Bench-Bar Conversation with Justice Carolyn E. Demarest
Proposed Changes Set to Alter Estate and Gift Tax Structure in New York: Time to Make a Gift?
New York City Paid Sick Leave – What Staffing Firms Need to Know
New York State Estate and Gift Tax: The Hidden Costs of Tax Reform
Assessing Never-Examined SEC-Registered Investment Advisers: An SEC NEP Priority
Changes to NY Minimum Wage
NLRB Strikes Again
Bench-Bar Conversations with Justice Elizabeth Emerson
Attorney Professionalism Forum: What should an attorney do when the client wants to present false information and what happens
Reducing the risk of violating competition law
NY Rings in 2015 with a Minimum Wage Increase
Distribution & Agency 2015 - Q&A on the distribution of goods and services in 17 jurisdictions worldwide
Fair Chance Act
Sales Taxes on Construction Projects
Forget Big Brother, What Happens When it’s Opposing Counsel is Doing the Recording?
E-Discovery Identification & Preservation Guide For Lawyers (Version 2.0)
On the Horizon: What to do before selling your staffing business
Striking the Right Encryption Balance after FBI, Apple Fracas
Delaware Court Reiterates Need for Unambiguous Non-Reliance Provisions in M&A Agreements
Finalizing a Divorce? Wait, Just One More Thing …
IRS Proposed Changes to IRC 2704 Affect Business Succession and Estate Planning Valuation Discounts
Trump and the Estate Tax: What We Know
Actual-Intent Fraudulent Transfers and the Crime/Fraud Exception
Proposed NYS DFS Cybersecurity Regulations to Significantly Impact FS Companies
New Guidance for Human Resource Professionals to Avoid Antitrust Violations
Merger and Scènes à Faire: Two Defenses to Substantial Similarity in Copyright Litigation
What’s New in the Revised New York State Proposed Cybersecurity Regulation?
The Law of Insider Trading: A Primer For Investment Managers
Recent Cyber Attack On Law Firms Serves As A Wake-Up Call For Professional Services Firms
The Ambac Decision and the Future of the Common Interest Privilege Under the New York Law
Overview of Data Privacy and Cybersecurity Regulatory Landscape for Investment Advisers and Other Financial Services Companies
Global Ransomware Attack: Basic Security Measures Every Business Should Adopt
Distribution & Agency 2017- Q&A on the distribution of goods and services in 17 jurisdictions worldwide
New Copyright of Resource: Copyright Protection
Attorney Professionalism Forum: Using Per Diem Attorneys Plus An Addendum To The June Forum On Cybersecurity Ethics
Congressional Republicans Propose Sweeping Tax Reform
Attorney Professionalism Forum: Attorney-Client Confidentiality vs. the Customs Agent: Who Wins?
Attorney Professionalism Forum: Confidentiality Issues When Clients Don’t Tell The Truth
Rules for Equity Crowdfunding Effective May 16, 2016
Estate Planning Under Comprehensive Tax Reform
Attorney Professionalism Forum: Attorney Websites, Branding and Using Social Media
Attorney Professionalism Forum: Attorney Advertising And Self Promotion
NY Appellate Court Shifts Balance of Power in Commercial Real Estate Leases: Upholds Yellowstone Injunction Waiver
Recent Developments in Neighbor Litigation
Attorney Professionalism Forum: Communicating With Clients With Diminished Capacity
Attorney Professionalism Forum: Litigation Financing
Groundbreaking bipartisan Congressional Legislation could pave the way to fully legalized Marijuana
Conditions Precedents in Construction Contracts
Distribution & Agency 2018 - Q&A on the distribution of goods and services in 18 jurisdictions worldwide
Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted
Attorney Professionalism Forum: Litigation Financing Confidentiality and Marijuana Ethics For Lawyers
U.S. Markets See First Cannabis IPO
NYS Department of Financial Services Issues Guidance to Banks on Servicing the Marijuana Industry
THSH Cyber Alert: GoDaddy the latest to leave S3 Bucket Unsecured
Legalized Adult-Use Marijuana Coming to New York?
NYS and NYC Sexual Harassment Prevention Laws
Are Your Website and Privacy Policy GDPR Compliant?
Attorney Professionalism Forum: Ethics and Best Practices For Law School Clinics
Beware of the AIA Form of Performance Bond
Attorney Professionalism Forum: Referral Fees and Using a Client as an Expert
Anecdotes from World’s Largest B2B Cannabis Conference
Attorney Professionalism Forum: Restrictive Covenants In Agreements Employing Lawyers
Turndown Service with that Hack: Marriott Hotels Announce Massive Data Breach
Attorney Professionalism Forum: Handling Confidential Client Information
Groundbreaking 2018 Farm Bill Portends Huge Changes to U.S. Cannabis and Hemp Industries
Attorney Professionalism Forum: The Challenges of Litigating Against Pro Se Parties
Articles By Topic
HRMinute
New York Law Journal
Attorney Professionalism Forum
Join Our Mailing List
Publication
Like us on FaceBook Follow us on Twitter Get LinkedIn with us Pin It! Email Us Print this Page

Sitemap |Terms of Use | Privacy | Attorney Advertising

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.