United States: New York Cybersecurity Updates
Effective September 4, 2018, cybersecurity rules require covered entities regulated by the New York State Department of Financial Services (NYDFS) to encrypt confidential data when transferring externally and to implement policies and procedures to protect and monitor the use of this data. Covered Entities must comply with the following provisions:
- Securely maintain systems that are sufficient to support business operations and maintain records for at least five years, including audit trails that detect and respond to cybersecurity events that may harm any material part of normal operations and maintain records for at least three years.
- Develop policies and procedures to protect data, including those of a risk-based nature, ensuring that security is reviewed and tested periodically (and updated as necessary) by the chief information security officer or a qualified person.
- Implement policies and procedures for the secure disposal of any confidential data that is no longer required for business operations (information to be retained by law or where disposable is not reasonably feasible is exempt).
- Encrypt confidential data.
Some covered entities are exempt from the above requirements. Employers should consider if the rules apply and if so should consider the impact of the changes. If changes apply and are not adhered to, penalities may apply.
The following additional changes are expected:
- November 1, 2018: Every consumer credit reporting agency deemed to be a covered entity must comply with the NYDFS’ cybersecurity requirements.
- February 15, 2019: Covered entities must submit a certification of compliance with NYDFS in addition to previous requirements.
- March 1, 2019: Covered entities that use third-party service providers must adopt written policies and procedures that are based on a risk assessment and designed to ensure the security of information systems and confidential data accessible to third parties.
- February 15, 2020: Covered Entities must submit a certification of compliance with the third party.
These new requirements will likely affect many elements of a covered entity’s operations. The regulations will also likely indirectly affect many service providers that process nonpublic information for covered entities, since covered entities will need to revise their service-provider requirements to comply.