Greenspoon Marder Client Alert: Gaining Perspective From New York’s First Cybersecurity Enforcement Action

Aug 11, 2020

Clients and Companies This Effects

New York changed the data security landscape when it introduced the groundbreaking Cybersecurity Regulation (23 NYCRR 500). Full compliance is required for any financial services provider subject to the jurisdiction of the New York State Department of Financial Services (“DFS”), whether or not the entity is headquartered in New York. This includes licensed lenders, state-chartered banks, trust companies, mortgage companies, service contract providers, and insurance companies.

The broad scope of the requirements also has a significant effect on service providers that do business with covered entities. However, there are limited exemptions; for example, organizations with less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end total assets (including all affiliates) are exempt from certain requirements of the regulation.

The Cybersecurity Regulation in a Nutshell

The regulation’s main directive is to protect consumer personal information by requiring companies in the financial services industry to proactively implement procedures that will reduce the threat of cyberattacks. Going beyond any other current state level regulation, 23 NYCRR 500 requires covered entities to establish and maintain cybersecurity programs designed to prevent, detect, and respond to cyberattacks.

Potential Penalties For Non Compliance

Failure to understand the extensive coverage of 23 NYCRR 500, as well as the available exemptions, timing and limits of the exemptions, could subject a covered entity to substantial penalties. Indeed, DFS has wasted no time on cracking down on non-compliant entities.

On July 22, 2020, DFS filed its first charges against a financial institution, First American Title Insurance Company, for violating the regulations. The Statement of Claims alleges that First American’s mandatory routine penetration test revealed vulnerabilities, and the company’s failure to remediate the deficiencies exposed the personal and financial information of millions of consumers. DFS claims that First American violated six provisions of the Cybersecurity Regulation, and asserts that each piece of Nonpublic Information involved in the claims “constitutes a separate violation carrying up to $1,000 in penalties per violation.” By this logic, DFS estimates the number of violations to be a staggering 255 million, or “30% of” the “850 million” documents that First American made publicly available.

TAKE AWAY

This First American matter makes clear that DFS will aggressively enforce its Cybersecurity Regulation. The case provides us with valuable perspectives on the priorities and expectations of DFS as well as foresight into how other regulators may interpret similar data security regulations. Failure to adapt procedures based on these lessons could prove extremely costly.

Lessons Learned from the First American Case.

Proactively Resolve Detected Vulnerabilities Promptly: The regulations mandate periodic penetration testing and vulnerability assessments. These tests can expose covered vulnerabilities, even at organizations with robust security programs. While many entities have procedures for remediating the identified susceptibilities within an time period, the First American action demonstrates these procedures must be more robust and fast acting. DFS alleges that First American’s response of instituting a 90 day plan to remediate the vulnerabilities, was a vast undervaluation of the risks they posed. DFS mentions that First American assigned “a new employee with little experience in data security” to address the detected issues. Based on the risk involved, this was wholly inadequate. Moreover, DFS claims that First American reviewed just 10 out of the potentially hundreds of millions of documents exposed. DFS also cited the company’s failure to comply with its internal remediation policies. First America failed to remediate within its self-imposed 90 days timeline, and did not follow up on the risk assessment. This demonstrates that companies must appropriately react based on the risks involved with any detected vulnerabilities. Remediation of vulnerabilities identified during penetration tests and vulnerability assessments must occur in a timely manner and the efforts to remediate must be led by capable personnel. Additionally, documentation of remediation efforts in concurrent records will be key to proving appropriate measures were taken.
Robust Risk Assessments: DFS requires a periodic risk assessment of information systems. The First American action reveals that DFS may scrutinize the scope and depth of those assessments. DFS pointed to a lack of a documented risk assessment of the vulnerable document delivery system and the failure to recognize that the system contained nonpublic information as a critical failure for First American. Therefore, covered entities must identify and perform risk assessments on all system that involved sensitive consumer information.
Appropriate Cybersecuity Training: DFS deemed First American’s training to be insufficient because the company purportedly delegated training to individual business units. There was no centralized supervision of the training or oversight of the departments. Taking note, entities should develop and audit their cybersecurity training programs, and create a centralized system for oversight of the training across all departments. Training intensity should increase with employees who handle or have access to sensitive information.
No Harm to Consumers is Required For High Penalties: In consumer driven Cybersecurity litigation, proving a harm plays a huge factor in the Plaintiff’s ability to recover. To contrast, there is no claim from DFS that consumers were harmed by First American’s alleged exposure of documents. Yet, as detailed in DFS’s press release, DFS is claiming there were roughly 255 million violations and that each violation constitutes a fine of up to $1,000. Companies should see this as a warning that consumer harm may not be a factor in DFS’s decision to levy extreme fines.

CONCLUSION

Covered entities should not wait until a cybersecurity incident occurs before ensuring policies, procedures and practices will pass under the scrutiny of a DFS action. The risk of significant financial penalties is too high. Covered entities should consistently assess their compliance with the cybersecurity regulations before an attack. If you have any questions regarding DFS’s Cybersecurity Regulation or would like to evaluate your current cybersecurity or data protection procedures, please contact Greenspoon Marder’s Regulatory Compliance practice group. Our well-rounded group of professionals includes nationally recognized attorneys, seasoned legislators, and experienced lobbyists, as well as a uniquely dedicated paralegal group to ensure personalized client service.

About Greenspoon Marder

Greenspoon Marder is a national full-service business law firm with over 200 attorneys and 25 locations across the United States. We are ranked among American Lawyer’s Am Law 200, as one of the top law firms in the U.S. since 2015. Our Regulatory Compliance & Defense practice group works closely with each client to understand their business model, goals, and objectives; and, to help our clients realize those goals while staying in compliance with applicable state and federal regulations. At Greenspoon Marder, we focus on pro-actively keeping our clients in good standing with regulators

Key Requirements of the NY’s Cybersecurity Regulation (23 NYCRR 500):

Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
Requirements that a cybersecurity program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
Written cybersecurity policies and procedures to protect information systems and the nonpublic information on those systems, including information systems and nonpublic information accessible to, or held by, third-party service providers;
Effective incident response plans that include preserving data in order to respond to data breaches and providing notice within 72 hours to the NYDFS of material events.
Audit and risk basic trails designed to detect and respond to cybersecurity events.
Annual reports covering the risks faced, all material events, and the impact on protected data.

About Greenspoon Marder

Greenspoon Marder LLP is a full-service law firm with over 225 attorneys and more than 20 office locations across the United States. With operations from Miami to New York and from Denver to Los Angeles, our firm attracts some of the nation’s top talent in key markets and innovation hubs. Our core practice areas include Real Estate, Litigation, and Transactional Services, complemented by the capabilities of a full-service firm. Greenspoon Marder has maintained a spot on The American Lawyer’s Am Law 200 as one of the top law firms in the U.S. since 2015, and our goal is to provide exceptional client service by developing a thorough understanding of each client’s business needs and objectives in order to provide strategic, cost-effective solutions.

MEDIA CONTACT

Natalie Villanueva, Director of Marketing
954.333.4308 | [email protected]

This Greenspoon Marder LLP Client Alert is issued for informational purposes only and is not intended to be construed or used as general legal advice nor a solicitation of any type. Please contact the author(s) or your Greenspoon Marder LLP contact if you have any questions regarding the currency of this information. The hiring of a lawyer is an important decision. Before you decide, ask for written information about the lawyer’s legal qualifications and experience.

Previous Next

News

Greenspoon Marder Client Alert: Gaining Perspective From New York’s First Cybersecurity Enforcement Action

Share

News & Events

News & Events